[Script Info] Title: [Events] Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text Dialogue: 0,0:00:00.00,0:00:09.60,Default,,0000,0000,0000,,{\i1}preroll music{\i0} Dialogue: 0,0:00:09.60,0:00:11.35,Default,,0000,0000,0000,,Herald: I did some research, Dialogue: 0,0:00:11.35,0:00:12.88,Default,,0000,0000,0000,,and it was not, not easy Dialogue: 0,0:00:12.88,0:00:15.51,Default,,0000,0000,0000,,that Diffie-Hellman key exchange Dialogue: 0,0:00:15.51,0:00:17.54,Default,,0000,0000,0000,,is so much above my pay grade Dialogue: 0,0:00:17.54,0:00:19.88,Default,,0000,0000,0000,,therefore, I'm going to keep it simple. Dialogue: 0,0:00:19.88,0:00:21.08,Default,,0000,0000,0000,,Please welcome Dialogue: 0,0:00:21.08,0:00:24.48,Default,,0000,0000,0000,,we have Alex Halderman from\Nthe University of Michigan, Dialogue: 0,0:00:24.48,0:00:28.80,Default,,0000,0000,0000,,and Nadia Heninger from\Nthe University of Pennsylvania. Dialogue: 0,0:00:28.80,0:00:32.76,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:00:32.76,0:00:37.27,Default,,0000,0000,0000,,AH: Thank you. Dialogue: 0,0:00:37.27,0:00:38.71,Default,,0000,0000,0000,,Thank you all so much. Dialogue: 0,0:00:38.71,0:00:43.52,Default,,0000,0000,0000,,It's wonderful to be back again in 32C3. Dialogue: 0,0:00:43.52,0:00:46.43,Default,,0000,0000,0000,,I'm Alex Halderman from\Nthe University of Michigan, Dialogue: 0,0:00:46.43,0:00:49.38,Default,,0000,0000,0000,,here again this year with, Dialogue: 0,0:00:49.38,0:00:51.31,Default,,0000,0000,0000,,with many of my students from my group Dialogue: 0,0:00:51.31,0:00:54.07,Default,,0000,0000,0000,,here in the audience also speaking. Dialogue: 0,0:00:54.07,0:00:57.11,Default,,0000,0000,0000,,We study security in the real world. Dialogue: 0,0:00:57.11,0:01:00.96,Default,,0000,0000,0000,,So tonight, we have\Na very special story to tell you Dialogue: 0,0:01:00.96,0:01:03.67,Default,,0000,0000,0000,,that I'm very proud to be telling Dialogue: 0,0:01:03.67,0:01:06.26,Default,,0000,0000,0000,,along with my colleague Nadia Heninger. Dialogue: 0,0:01:06.26,0:01:07.66,Default,,0000,0000,0000,,We're going to be talking Dialogue: 0,0:01:07.66,0:01:10.89,Default,,0000,0000,0000,,about discrete log, Diffie-Hellman Dialogue: 0,0:01:10.89,0:01:13.77,Default,,0000,0000,0000,,and some of the, um, Dialogue: 0,0:01:13.77,0:01:15.79,Default,,0000,0000,0000,,the research that we've done Dialogue: 0,0:01:15.79,0:01:16.89,Default,,0000,0000,0000,,over the past year, Dialogue: 0,0:01:16.89,0:01:19.50,Default,,0000,0000,0000,,try to understand how the NSA Dialogue: 0,0:01:19.50,0:01:21.64,Default,,0000,0000,0000,,may be breaking so much of the crypto Dialogue: 0,0:01:21.64,0:01:23.74,Default,,0000,0000,0000,,that we know they're breaking. Dialogue: 0,0:01:23.74,0:01:25.68,Default,,0000,0000,0000,,Why do we...? So this work is Dialogue: 0,0:01:25.68,0:01:28.84,Default,,0000,0000,0000,,joint work with a number of co-authors, Dialogue: 0,0:01:28.84,0:01:30.75,Default,,0000,0000,0000,,with 12 other co-authors, Dialogue: 0,0:01:30.75,0:01:33.57,Default,,0000,0000,0000,,3 of them are in this room right now, Dialogue: 0,0:01:33.57,0:01:34.75,Default,,0000,0000,0000,,and I'd ask to stand up Dialogue: 0,0:01:34.75,0:01:35.92,Default,,0000,0000,0000,,but they said they didn't want to Dialogue: 0,0:01:35.92,0:01:38.21,Default,,0000,0000,0000,,so please, a quick round of applause Dialogue: 0,0:01:38.21,0:01:39.79,Default,,0000,0000,0000,,for my co-authors as well. Dialogue: 0,0:01:39.79,0:01:47.98,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:01:47.98,0:01:49.79,Default,,0000,0000,0000,,So, thank you. Dialogue: 0,0:01:49.79,0:01:51.10,Default,,0000,0000,0000,,So in this very room, Dialogue: 0,0:01:51.10,0:01:53.62,Default,,0000,0000,0000,,a year ago at 31C3, Dialogue: 0,0:01:53.62,0:01:56.25,Default,,0000,0000,0000,,Jacob Appelbaum and Laura Poitras Dialogue: 0,0:01:56.25,0:01:59.25,Default,,0000,0000,0000,,gave a talk, "Reconstructing Narratives", Dialogue: 0,0:01:59.25,0:02:02.86,Default,,0000,0000,0000,,in which they announced some new results Dialogue: 0,0:02:02.86,0:02:05.45,Default,,0000,0000,0000,,from the Snowden archives. Dialogue: 0,0:02:05.45,0:02:08.78,Default,,0000,0000,0000,,They were able to tell us how the NSA, Dialogue: 0,0:02:08.78,0:02:11.92,Default,,0000,0000,0000,,that the NSA was breaking cryptography Dialogue: 0,0:02:11.92,0:02:15.32,Default,,0000,0000,0000,,used in widespread online communication. Dialogue: 0,0:02:15.32,0:02:17.66,Default,,0000,0000,0000,,And, they later published Dialogue: 0,0:02:17.66,0:02:20.89,Default,,0000,0000,0000,,an article in der Spiegel, Dialogue: 0,0:02:20.89,0:02:23.61,Default,,0000,0000,0000,,in which the article included documents Dialogue: 0,0:02:23.61,0:02:27.69,Default,,0000,0000,0000,,that showed indeed the scope of NSA Dialogue: 0,0:02:27.69,0:02:30.41,Default,,0000,0000,0000,,breaking widely used encryption Dialogue: 0,0:02:30.41,0:02:32.21,Default,,0000,0000,0000,,was significant. Dialogue: 0,0:02:32.21,0:02:33.75,Default,,0000,0000,0000,,That NSA is breaking, Dialogue: 0,0:02:33.75,0:02:35.56,Default,,0000,0000,0000,,maybe not all crypto, Dialogue: 0,0:02:35.56,0:02:38.23,Default,,0000,0000,0000,,but they're able to break\Nwidely used crypto Dialogue: 0,0:02:38.23,0:02:40.25,Default,,0000,0000,0000,,from many of the different kinds Dialogue: 0,0:02:40.25,0:02:44.54,Default,,0000,0000,0000,,of services and protocols we care about. Dialogue: 0,0:02:44.54,0:02:46.40,Default,,0000,0000,0000,,What the leaks didn't answer Dialogue: 0,0:02:46.40,0:02:49.44,Default,,0000,0000,0000,,is how NSA is breaking this cryptography Dialogue: 0,0:02:49.44,0:02:51.21,Default,,0000,0000,0000,,and to a technologist, Dialogue: 0,0:02:51.21,0:02:54.02,Default,,0000,0000,0000,,well, if we don't know\Nhow they're breaking it, Dialogue: 0,0:02:54.02,0:02:56.97,Default,,0000,0000,0000,,what can we do to stop it? Dialogue: 0,0:02:56.97,0:02:59.76,Default,,0000,0000,0000,,So, Nadia and I and our co-authors set out Dialogue: 0,0:02:59.76,0:03:00.78,Default,,0000,0000,0000,,earlier this year Dialogue: 0,0:03:00.78,0:03:03.55,Default,,0000,0000,0000,,to try to, through our research, Dialogue: 0,0:03:03.55,0:03:05.78,Default,,0000,0000,0000,,start answering those questions. Dialogue: 0,0:03:05.78,0:03:08.11,Default,,0000,0000,0000,,How is NSA likely to be breaking Dialogue: 0,0:03:08.11,0:03:10.10,Default,,0000,0000,0000,,likely used cryptography, Dialogue: 0,0:03:10.10,0:03:13.33,Default,,0000,0000,0000,,and what can we and other researchers do Dialogue: 0,0:03:13.33,0:03:15.17,Default,,0000,0000,0000,,to stop government from being able Dialogue: 0,0:03:15.17,0:03:18.35,Default,,0000,0000,0000,,to attack the crypto\Nthat all of us depend on? Dialogue: 0,0:03:18.35,0:03:21.13,Default,,0000,0000,0000,,So, so...\N{\i1}applause{\i0} Dialogue: 0,0:03:21.13,0:03:24.24,Default,,0000,0000,0000,,Let's tell the story. Dialogue: 0,0:03:24.24,0:03:28.03,Default,,0000,0000,0000,,Wait until you see how it ends! Dialogue: 0,0:03:28.03,0:03:30.39,Default,,0000,0000,0000,,So if I were setting out as the attacker Dialogue: 0,0:03:30.39,0:03:32.14,Default,,0000,0000,0000,,to break widely used crypto, Dialogue: 0,0:03:32.14,0:03:35.99,Default,,0000,0000,0000,,well, there's a few different ways\Nthat I could do it. Dialogue: 0,0:03:35.99,0:03:38.04,Default,,0000,0000,0000,,One branch of the decision tree here Dialogue: 0,0:03:38.04,0:03:40.27,Default,,0000,0000,0000,,is to attacking the implementations Dialogue: 0,0:03:40.27,0:03:42.47,Default,,0000,0000,0000,,right, either finding vulnerabilities Dialogue: 0,0:03:42.47,0:03:43.98,Default,,0000,0000,0000,,or introducing backdoors, Dialogue: 0,0:03:43.98,0:03:46.85,Default,,0000,0000,0000,,we've all been witnessing over the past Dialogue: 0,0:03:46.85,0:03:50.61,Default,,0000,0000,0000,,week or so with Juniper and their systems Dialogue: 0,0:03:50.61,0:03:54.04,Default,,0000,0000,0000,,being compromised. Dialogue: 0,0:03:54.04,0:03:57.29,Default,,0000,0000,0000,,On the other hand,\Nthere's another prong you could take. Dialogue: 0,0:03:57.29,0:03:59.98,Default,,0000,0000,0000,,You could try to attack the crypto\Nalgorithms themselves, Dialogue: 0,0:03:59.98,0:04:01.93,Default,,0000,0000,0000,,the underlying crypto. Dialogue: 0,0:04:01.93,0:04:02.95,Default,,0000,0000,0000,,And the difference is, Dialogue: 0,0:04:02.95,0:04:04.44,Default,,0000,0000,0000,,if you're attacking implementations, Dialogue: 0,0:04:04.44,0:04:05.83,Default,,0000,0000,0000,,you have to make a big investment Dialogue: 0,0:04:05.83,0:04:09.02,Default,,0000,0000,0000,,in every hardware device\Nand piece of software Dialogue: 0,0:04:09.02,0:04:10.84,Default,,0000,0000,0000,,that you're trying to compromise. Dialogue: 0,0:04:10.84,0:04:13.16,Default,,0000,0000,0000,,If you're attacking the underlying crypto, Dialogue: 0,0:04:13.16,0:04:17.34,Default,,0000,0000,0000,,you have just one, a one-stop shop Dialogue: 0,0:04:17.34,0:04:21.03,Default,,0000,0000,0000,,to gain access to,\Npotentially a very wide swath Dialogue: 0,0:04:21.03,0:04:23.04,Default,,0000,0000,0000,,of all the crypto in use. Dialogue: 0,0:04:23.04,0:04:25.14,Default,,0000,0000,0000,,So a small number of algorithms Dialogue: 0,0:04:25.14,0:04:28.23,Default,,0000,0000,0000,,predominate for both\Nsymmetric cryptography, Dialogue: 0,0:04:28.23,0:04:30.59,Default,,0000,0000,0000,,things like AES and RC4, Dialogue: 0,0:04:30.59,0:04:32.71,Default,,0000,0000,0000,,but those particular algorithms anyway, Dialogue: 0,0:04:32.71,0:04:34.51,Default,,0000,0000,0000,,most cryptographers seem to think Dialogue: 0,0:04:34.51,0:04:35.66,Default,,0000,0000,0000,,that breaking them, Dialogue: 0,0:04:35.66,0:04:37.30,Default,,0000,0000,0000,,at least in the general case, Dialogue: 0,0:04:37.30,0:04:39.47,Default,,0000,0000,0000,,is pretty hard right now. Dialogue: 0,0:04:39.47,0:04:41.30,Default,,0000,0000,0000,,Instead though, we also have Dialogue: 0,0:04:41.30,0:04:44.20,Default,,0000,0000,0000,,a very small number of\Npublic key crypto algorithms Dialogue: 0,0:04:44.20,0:04:46.56,Default,,0000,0000,0000,,that are also in use very widely Dialogue: 0,0:04:46.56,0:04:50.34,Default,,0000,0000,0000,,for most or all of the protocols\Nand services we care about. Dialogue: 0,0:04:50.34,0:04:53.06,Default,,0000,0000,0000,,Things like RSA and Diffie-Hellman. Dialogue: 0,0:04:53.06,0:04:55.78,Default,,0000,0000,0000,,And here be dragons, as they say, Dialogue: 0,0:04:55.78,0:04:59.52,Default,,0000,0000,0000,,this is the cryptography that we\Nand many other cryptographers Dialogue: 0,0:04:59.52,0:05:02.61,Default,,0000,0000,0000,,think is most likely to be targeted. Dialogue: 0,0:05:02.61,0:05:04.96,Default,,0000,0000,0000,,So, I'll hand it off to Nadia Dialogue: 0,0:05:04.96,0:05:08.06,Default,,0000,0000,0000,,to talk about breaking public key. Dialogue: 0,0:05:08.06,0:05:15.17,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:05:15.17,0:05:16.82,Default,,0000,0000,0000,,NH: So, in order to understand Dialogue: 0,0:05:16.82,0:05:19.24,Default,,0000,0000,0000,,a little bit about\Nhow cryptanalysis works, Dialogue: 0,0:05:19.24,0:05:20.80,Default,,0000,0000,0000,,I'm going to go all the way back Dialogue: 0,0:05:20.80,0:05:23.35,Default,,0000,0000,0000,,to the very beginning of\Npublic key cryptography Dialogue: 0,0:05:23.35,0:05:25.46,Default,,0000,0000,0000,,from the 70s, Dialogue: 0,0:05:25.46,0:05:28.73,Default,,0000,0000,0000,,and I'll start by explaining\Na little bit about RSA. Dialogue: 0,0:05:28.73,0:05:31.67,Default,,0000,0000,0000,,This is Rivest, Shamir, and Adleman\Nup on the screen here, Dialogue: 0,0:05:31.67,0:05:33.52,Default,,0000,0000,0000,,from the 70s, you can tell. Dialogue: 0,0:05:33.52,0:05:35.78,Default,,0000,0000,0000,,And this is sort of the simple example, Dialogue: 0,0:05:35.78,0:05:37.36,Default,,0000,0000,0000,,and then we'll talk a little bit more Dialogue: 0,0:05:37.36,0:05:40.90,Default,,0000,0000,0000,,about the actual\NDiffie-Hellman-based cryptanalysis Dialogue: 0,0:05:40.90,0:05:43.27,Default,,0000,0000,0000,,that we're actually talking about. Dialogue: 0,0:05:43.27,0:05:46.77,Default,,0000,0000,0000,,So, this the first public-key\Ncrypto algorithm Dialogue: 0,0:05:46.77,0:05:47.80,Default,,0000,0000,0000,,that was ever published, Dialogue: 0,0:05:47.80,0:05:49.94,Default,,0000,0000,0000,,and it is still the most widely used Dialogue: 0,0:05:49.94,0:05:52.68,Default,,0000,0000,0000,,cryptography, public key cryptography\Nalgorithm out there. Dialogue: 0,0:05:52.68,0:05:55.39,Default,,0000,0000,0000,,That shows you, I guess something\Nabout the naturalness of ideas, Dialogue: 0,0:05:55.39,0:05:56.75,Default,,0000,0000,0000,,or maybe the lack of progress Dialogue: 0,0:05:56.75,0:05:59.05,Default,,0000,0000,0000,,that we've had in the past 40 years. Dialogue: 0,0:05:59.05,0:06:03.53,Default,,0000,0000,0000,,So, here's sort of the textbook version\Nof RSA encryption, Dialogue: 0,0:06:03.53,0:06:05.02,Default,,0000,0000,0000,,what we really care about is that... Dialogue: 0,0:06:05.02,0:06:06.64,Default,,0000,0000,0000,,So, Alice and Bob, they want Dialogue: 0,0:06:06.64,0:06:08.57,Default,,0000,0000,0000,,to bootstrap communication over Dialogue: 0,0:06:08.57,0:06:09.76,Default,,0000,0000,0000,,an untrusted channel, Dialogue: 0,0:06:09.76,0:06:12.01,Default,,0000,0000,0000,,so there's some eavesdropper\Nin between them Dialogue: 0,0:06:12.01,0:06:13.43,Default,,0000,0000,0000,,who's intercepting their messages. Dialogue: 0,0:06:13.43,0:06:15.86,Default,,0000,0000,0000,,And, in order to get around this, Dialogue: 0,0:06:15.86,0:06:17.60,Default,,0000,0000,0000,,they need to somehow figure out Dialogue: 0,0:06:17.60,0:06:20.98,Default,,0000,0000,0000,,how to share a key in order to Dialogue: 0,0:06:20.98,0:06:23.13,Default,,0000,0000,0000,,actually encrypt their communications. Dialogue: 0,0:06:23.13,0:06:25.08,Default,,0000,0000,0000,,And the way that RSA accomplishes this, Dialogue: 0,0:06:25.08,0:06:30.24,Default,,0000,0000,0000,,is, Bob here on the right has a public key Dialogue: 0,0:06:30.24,0:06:32.73,Default,,0000,0000,0000,,which in RSA is e modulus N Dialogue: 0,0:06:32.73,0:06:35.48,Default,,0000,0000,0000,,which is the product of\Ntwo large prime factors, Dialogue: 0,0:06:35.48,0:06:37.59,Default,,0000,0000,0000,,and he sends this over to Alice, Dialogue: 0,0:06:37.59,0:06:39.34,Default,,0000,0000,0000,,and Alice uses Bob's public key Dialogue: 0,0:06:39.34,0:06:41.65,Default,,0000,0000,0000,,to encrypt a message, like a session key, Dialogue: 0,0:06:41.65,0:06:43.43,Default,,0000,0000,0000,,and send it back to Bob, Dialogue: 0,0:06:43.43,0:06:45.19,Default,,0000,0000,0000,,and then Bob can decrypt the message, Dialogue: 0,0:06:45.19,0:06:46.34,Default,,0000,0000,0000,,get the session key, Dialogue: 0,0:06:46.34,0:06:47.86,Default,,0000,0000,0000,,and they can communicate using Dialogue: 0,0:06:47.86,0:06:49.51,Default,,0000,0000,0000,,some other symmetric cipher. Dialogue: 0,0:06:49.51,0:06:53.92,Default,,0000,0000,0000,,So, this is the big picture\Nof RSA encryption. Dialogue: 0,0:06:53.92,0:06:55.23,Default,,0000,0000,0000,,The reason that we think Dialogue: 0,0:06:55.23,0:06:58.10,Default,,0000,0000,0000,,that RSA is secure is because Dialogue: 0,0:06:58.10,0:07:02.87,Default,,0000,0000,0000,,the best way that we know how to break\Nan RSA public key Dialogue: 0,0:07:02.87,0:07:04.88,Default,,0000,0000,0000,,is to factor the modulus, Dialogue: 0,0:07:04.88,0:07:08.16,Default,,0000,0000,0000,,and as far as we know,\Nfactoring is not very easy. Dialogue: 0,0:07:08.16,0:07:10.86,Default,,0000,0000,0000,,So, in particular, factoring is Dialogue: 0,0:07:10.86,0:07:11.85,Default,,0000,0000,0000,,what we hope is something like Dialogue: 0,0:07:11.85,0:07:13.18,Default,,0000,0000,0000,,a one-way function, Dialogue: 0,0:07:13.18,0:07:14.61,Default,,0000,0000,0000,,multiplication is easy, Dialogue: 0,0:07:14.61,0:07:17.05,Default,,0000,0000,0000,,factoring the number into\Ntwo pieces again is hard, Dialogue: 0,0:07:17.05,0:07:18.20,Default,,0000,0000,0000,,in some sense. Dialogue: 0,0:07:18.20,0:07:19.97,Default,,0000,0000,0000,,And the best algorithm that we have Dialogue: 0,0:07:19.97,0:07:21.19,Default,,0000,0000,0000,,in the general case, of, say Dialogue: 0,0:07:21.19,0:07:23.72,Default,,0000,0000,0000,,an RSA modulus that's well-generated, Dialogue: 0,0:07:23.72,0:07:27.11,Default,,0000,0000,0000,,is called the number field sieve. Dialogue: 0,0:07:27.11,0:07:28.70,Default,,0000,0000,0000,,So here is the... Dialogue: 0,0:07:28.70,0:07:30.91,Default,,0000,0000,0000,,this is as bad as technical\Nas I'm going to get, Dialogue: 0,0:07:30.91,0:07:32.79,Default,,0000,0000,0000,,and I'm waving my hands vigorously here, Dialogue: 0,0:07:32.79,0:07:34.87,Default,,0000,0000,0000,,but here's something along the lines of Dialogue: 0,0:07:34.87,0:07:36.42,Default,,0000,0000,0000,,what the number field sieve algorithm Dialogue: 0,0:07:36.42,0:07:37.92,Default,,0000,0000,0000,,actually looks like, Dialogue: 0,0:07:37.92,0:07:39.55,Default,,0000,0000,0000,,so it's a multi-stage algorithm, Dialogue: 0,0:07:39.55,0:07:41.24,Default,,0000,0000,0000,,it's rather complex, Dialogue: 0,0:07:41.24,0:07:43.48,Default,,0000,0000,0000,,some stages parallelise very well, Dialogue: 0,0:07:43.48,0:07:44.68,Default,,0000,0000,0000,,embarrassingly well, Dialogue: 0,0:07:44.68,0:07:47.99,Default,,0000,0000,0000,,other stages parallelise somewhat\Nless well, Dialogue: 0,0:07:47.99,0:07:51.19,Default,,0000,0000,0000,,and so we've got these multiple stages\Nthat we go through, Dialogue: 0,0:07:51.19,0:07:53.48,Default,,0000,0000,0000,,and at the end of the algorithm, Dialogue: 0,0:07:53.48,0:07:55.19,Default,,0000,0000,0000,,we discover, we hope, a prime factor Dialogue: 0,0:07:55.19,0:07:59.93,Default,,0000,0000,0000,,of the number that we're trying to factor. Dialogue: 0,0:07:59.93,0:08:01.58,Default,,0000,0000,0000,,So, how long does it take to factor? Dialogue: 0,0:08:01.58,0:08:02.71,Default,,0000,0000,0000,,Here's one answer: Dialogue: 0,0:08:02.71,0:08:04.16,Default,,0000,0000,0000,,if you ask a number theorist, this is Dialogue: 0,0:08:04.16,0:08:05.59,Default,,0000,0000,0000,,the answer that they all give you, Dialogue: 0,0:08:05.59,0:08:07.48,Default,,0000,0000,0000,,they all go through the optimisation, Dialogue: 0,0:08:07.48,0:08:09.68,Default,,0000,0000,0000,,and they will tell you the answer is Dialogue: 0,0:08:09.68,0:08:11.64,Default,,0000,0000,0000,,a sub-exponential function in the size Dialogue: 0,0:08:11.64,0:08:13.38,Default,,0000,0000,0000,,of the number that we're trying to factor. Dialogue: 0,0:08:13.38,0:08:14.56,Default,,0000,0000,0000,,That I think is not the answer Dialogue: 0,0:08:14.56,0:08:16.74,Default,,0000,0000,0000,,that you guys are looking for. Dialogue: 0,0:08:16.74,0:08:19.98,Default,,0000,0000,0000,,So, here's a slightly more\Nconcrete answer. Dialogue: 0,0:08:19.98,0:08:21.68,Default,,0000,0000,0000,,So, how long does it take to factor Dialogue: 0,0:08:21.68,0:08:23.08,Default,,0000,0000,0000,,different sizes of keys? Dialogue: 0,0:08:23.08,0:08:25.47,Default,,0000,0000,0000,,So, for 512-bit RSA, Dialogue: 0,0:08:25.47,0:08:29.98,Default,,0000,0000,0000,,the first 512-bit RSA modulus\Nwas factored in 1999 Dialogue: 0,0:08:29.98,0:08:30.78,Default,,0000,0000,0000,,by a group of academics, Dialogue: 0,0:08:30.78,0:08:34.18,Default,,0000,0000,0000,,that took them 6 months\Nand a few supercomputers, Dialogue: 0,0:08:34.18,0:08:36.79,Default,,0000,0000,0000,,now you can rent supercomputers\Nby the hour. Dialogue: 0,0:08:36.79,0:08:38.10,Default,,0000,0000,0000,,So what does that do? Dialogue: 0,0:08:38.10,0:08:39.68,Default,,0000,0000,0000,,Well, some students of mine Dialogue: 0,0:08:39.68,0:08:44.10,Default,,0000,0000,0000,,actually were able to factor\Na 512-bit RSA key Dialogue: 0,0:08:44.10,0:08:48.98,Default,,0000,0000,0000,,for 4 hours and 75 dollars on Amazon EC2. Dialogue: 0,0:08:48.98,0:08:50.83,Default,,0000,0000,0000,,If you would like to do this too... Dialogue: 0,0:08:50.83,0:08:54.47,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:08:54.47,0:08:56.88,Default,,0000,0000,0000,,So, you can also do this too, Dialogue: 0,0:08:56.88,0:08:59.73,Default,,0000,0000,0000,,code is online, right here, download it, Dialogue: 0,0:08:59.73,0:09:02.56,Default,,0000,0000,0000,,send us bug reports, etc. Dialogue: 0,0:09:02.56,0:09:05.37,Default,,0000,0000,0000,,So, as we go up in key sizes, Dialogue: 0,0:09:05.37,0:09:07.54,Default,,0000,0000,0000,,768-bit RSA modulus, Dialogue: 0,0:09:07.54,0:09:10.07,Default,,0000,0000,0000,,estimate, current estimate is Dialogue: 0,0:09:10.07,0:09:12.47,Default,,0000,0000,0000,,less than 1000 core-years, Dialogue: 0,0:09:12.47,0:09:15.05,Default,,0000,0000,0000,,and for sort of reasonable-size\Nacademic clusters, Dialogue: 0,0:09:15.05,0:09:19.27,Default,,0000,0000,0000,,that should take less than\Na calendar year to finish, now. Dialogue: 0,0:09:19.27,0:09:22.59,Default,,0000,0000,0000,,That was,\Nthe first 768-bit RSA factorisation Dialogue: 0,0:09:22.59,0:09:25.44,Default,,0000,0000,0000,,was done in public in 2009. Dialogue: 0,0:09:25.44,0:09:28.46,Default,,0000,0000,0000,,So, that gives you some idea\Nof sort of the progress. Dialogue: 0,0:09:28.46,0:09:31.02,Default,,0000,0000,0000,,For 1024-bit RSA, nobody has factored Dialogue: 0,0:09:31.02,0:09:32.86,Default,,0000,0000,0000,,a key of that size in public, Dialogue: 0,0:09:32.86,0:09:34.14,Default,,0000,0000,0000,,the estimate is probably, Dialogue: 0,0:09:34.14,0:09:36.35,Default,,0000,0000,0000,,it's about a million core-years, Dialogue: 0,0:09:36.35,0:09:37.61,Default,,0000,0000,0000,,which is certainly within range Dialogue: 0,0:09:37.61,0:09:41.06,Default,,0000,0000,0000,,for a large government, Dialogue: 0,0:09:41.06,0:09:43.48,Default,,0000,0000,0000,,so it is against better recommendations Dialogue: 0,0:09:43.48,0:09:47.54,Default,,0000,0000,0000,,to use a 1024-bit RSA key size,\Nat this point. Dialogue: 0,0:09:47.54,0:09:48.66,Default,,0000,0000,0000,,Current recommendation is to use Dialogue: 0,0:09:48.66,0:09:50.81,Default,,0000,0000,0000,,a 2048-bit RSA modulus, Dialogue: 0,0:09:50.81,0:09:52.60,Default,,0000,0000,0000,,with current algorithms, Dialogue: 0,0:09:52.60,0:09:54.11,Default,,0000,0000,0000,,nobody should ever be able to factor Dialogue: 0,0:09:54.11,0:09:55.36,Default,,0000,0000,0000,,something at this size, Dialogue: 0,0:09:55.36,0:09:57.77,Default,,0000,0000,0000,,without some kind of major improvement. Dialogue: 0,0:09:57.77,0:10:02.40,Default,,0000,0000,0000,,So, there's the big picture for you. Dialogue: 0,0:10:02.40,0:10:05.04,Default,,0000,0000,0000,,Now move on to Diffie-Hellman. Dialogue: 0,0:10:05.04,0:10:08.87,Default,,0000,0000,0000,,So, the paper that introduced\NDiffie-Hellman Dialogue: 0,0:10:08.87,0:10:11.44,Default,,0000,0000,0000,,was called "New Directions\Nin Cryptography", Dialogue: 0,0:10:11.44,0:10:13.96,Default,,0000,0000,0000,,it's one of the seminal papers\Nof the 20th century, Dialogue: 0,0:10:13.96,0:10:15.87,Default,,0000,0000,0000,,how many of you have read this paper? Dialogue: 0,0:10:15.87,0:10:17.63,Default,,0000,0000,0000,,You should all go read it right now, Dialogue: 0,0:10:17.63,0:10:20.75,Default,,0000,0000,0000,,I mean not right now, maybe after I talk. Dialogue: 0,0:10:20.75,0:10:22.70,Default,,0000,0000,0000,,The first sentence of this paper, Dialogue: 0,0:10:22.70,0:10:24.69,Default,,0000,0000,0000,,written in 1976, Dialogue: 0,0:10:24.69,0:10:28.40,Default,,0000,0000,0000,,is "We stand today on the brink\Nof a revolution in cryptography". Dialogue: 0,0:10:28.40,0:10:30.28,Default,,0000,0000,0000,,This is one of the best opening sentences Dialogue: 0,0:10:30.28,0:10:32.36,Default,,0000,0000,0000,,of an academic paper I've ever read, Dialogue: 0,0:10:32.36,0:10:36.17,Default,,0000,0000,0000,,and they were 100% right\Nabout everything they put in the paper. Dialogue: 0,0:10:36.17,0:10:37.86,Default,,0000,0000,0000,,They laid out the entire foundations Dialogue: 0,0:10:37.86,0:10:41.09,Default,,0000,0000,0000,,of cryptographic research\Nfor a couple decades, Dialogue: 0,0:10:41.09,0:10:43.27,Default,,0000,0000,0000,,and to boot they came up with Dialogue: 0,0:10:43.27,0:10:45.66,Default,,0000,0000,0000,,the first public key exchange, Dialogue: 0,0:10:45.66,0:10:48.23,Default,,0000,0000,0000,,that is still one of the commonly used Dialogue: 0,0:10:48.23,0:10:50.51,Default,,0000,0000,0000,,public key methods we Dialogue: 0,0:10:50.51,0:10:51.85,Default,,0000,0000,0000,,have on the Internet. Dialogue: 0,0:10:51.85,0:10:55.75,Default,,0000,0000,0000,,So, all that in one paper. Dialogue: 0,0:10:55.75,0:10:58.76,Default,,0000,0000,0000,,So, the way that\Ntextbook Diffie-Hellman works, Dialogue: 0,0:10:58.76,0:11:00.91,Default,,0000,0000,0000,,is, you've got a couple of parameters, Dialogue: 0,0:11:00.91,0:11:03.51,Default,,0000,0000,0000,,you've got a prime p, Dialogue: 0,0:11:03.51,0:11:09.06,Default,,0000,0000,0000,,and some element g less than p, Dialogue: 0,0:11:09.06,0:11:11.25,Default,,0000,0000,0000,,you can think,\Nfor concreteness, g is 2. Dialogue: 0,0:11:11.25,0:11:12.76,Default,,0000,0000,0000,,It's a good number. Dialogue: 0,0:11:12.76,0:11:15.76,Default,,0000,0000,0000,,And p is some very large prime, Dialogue: 0,0:11:15.76,0:11:18.62,Default,,0000,0000,0000,,say 1024, 2048-bit prime. Dialogue: 0,0:11:18.62,0:11:20.58,Default,,0000,0000,0000,,And so Alice and Bob, Dialogue: 0,0:11:20.58,0:11:21.80,Default,,0000,0000,0000,,same as our previous scenario, Dialogue: 0,0:11:21.80,0:11:23.19,Default,,0000,0000,0000,,they want to bootstrap communication Dialogue: 0,0:11:23.19,0:11:25.79,Default,,0000,0000,0000,,in the presence of\Nan untrusted eavesdropper. Dialogue: 0,0:11:25.79,0:11:26.98,Default,,0000,0000,0000,,So what they're going to do, Dialogue: 0,0:11:26.98,0:11:29.48,Default,,0000,0000,0000,,Alice will generate some secret value a, Dialogue: 0,0:11:29.48,0:11:32.26,Default,,0000,0000,0000,,and she will compute g^a mod p, Dialogue: 0,0:11:32.26,0:11:34.05,Default,,0000,0000,0000,,and send it over to Bob, Dialogue: 0,0:11:34.05,0:11:36.92,Default,,0000,0000,0000,,and Bob will compute some secret value b, Dialogue: 0,0:11:36.92,0:11:38.41,Default,,0000,0000,0000,,and compute g^b mod p, Dialogue: 0,0:11:38.41,0:11:40.09,Default,,0000,0000,0000,,and send it over to Alice, Dialogue: 0,0:11:40.09,0:11:43.87,Default,,0000,0000,0000,,the eavesdropper sees the values\Ng^a and g^b, Dialogue: 0,0:11:43.87,0:11:45.72,Default,,0000,0000,0000,,can't derive anything useful from those, Dialogue: 0,0:11:45.72,0:11:47.78,Default,,0000,0000,0000,,but Alice and Bob can individually Dialogue: 0,0:11:47.78,0:11:48.79,Default,,0000,0000,0000,,take their secrets Dialogue: 0,0:11:48.79,0:11:52.41,Default,,0000,0000,0000,,and derive the values g^ab mod p, Dialogue: 0,0:11:52.41,0:11:53.82,Default,,0000,0000,0000,,both the same values. Dialogue: 0,0:11:53.82,0:11:55.68,Default,,0000,0000,0000,,And that becomes a shared secret, Dialogue: 0,0:11:55.68,0:11:58.25,Default,,0000,0000,0000,,which they can then use as a session key, Dialogue: 0,0:11:58.25,0:11:59.86,Default,,0000,0000,0000,,and, you know, switch to AES Dialogue: 0,0:11:59.86,0:12:02.55,Default,,0000,0000,0000,,and start symmetrically\Nencrypting their data. Dialogue: 0,0:12:02.55,0:12:05.07,Default,,0000,0000,0000,,So, that's Diffie-Hellman key exchange. Dialogue: 0,0:12:05.07,0:12:06.47,Default,,0000,0000,0000,,Used all over the Internet, Dialogue: 0,0:12:06.47,0:12:09.39,Default,,0000,0000,0000,,one of the commonly used things possible. Dialogue: 0,0:12:09.39,0:12:12.94,Default,,0000,0000,0000,,So, one of the reasons that people Dialogue: 0,0:12:12.94,0:12:15.50,Default,,0000,0000,0000,,have been advocating\NDiffie-Hellman key exchange recently Dialogue: 0,0:12:15.50,0:12:17.19,Default,,0000,0000,0000,,over, say, RSA, Dialogue: 0,0:12:17.19,0:12:20.32,Default,,0000,0000,0000,,is because it can be, it can provide Dialogue: 0,0:12:20.32,0:12:22.47,Default,,0000,0000,0000,,the property of perfect forward secrecy. Dialogue: 0,0:12:22.47,0:12:23.65,Default,,0000,0000,0000,,So assuming that Alice and Bob Dialogue: 0,0:12:23.65,0:12:26.72,Default,,0000,0000,0000,,generate fresh random\Nsecret values a and b Dialogue: 0,0:12:26.72,0:12:28.64,Default,,0000,0000,0000,,for every single connection, Dialogue: 0,0:12:28.64,0:12:32.60,Default,,0000,0000,0000,,then if, say, some large government agency Dialogue: 0,0:12:32.60,0:12:34.74,Default,,0000,0000,0000,,is collecting all of their communications Dialogue: 0,0:12:34.74,0:12:37.29,Default,,0000,0000,0000,,and later tries to hack into Alice or Bob, Dialogue: 0,0:12:37.29,0:12:38.73,Default,,0000,0000,0000,,or break one of their keys, Dialogue: 0,0:12:38.73,0:12:40.90,Default,,0000,0000,0000,,in order to decrypt their communication, Dialogue: 0,0:12:40.90,0:12:44.03,Default,,0000,0000,0000,,they can't hack into Alice or\NBob's computer later, Dialogue: 0,0:12:44.03,0:12:46.39,Default,,0000,0000,0000,,and then discover the key Dialogue: 0,0:12:46.39,0:12:47.86,Default,,0000,0000,0000,,that Alice and Bob used Dialogue: 0,0:12:47.86,0:12:51.08,Default,,0000,0000,0000,,to generate all the conversations\Nthat they had, Dialogue: 0,0:12:51.08,0:12:53.65,Default,,0000,0000,0000,,because Alice and Bob have\Nalready forgotten Dialogue: 0,0:12:53.65,0:12:55.16,Default,,0000,0000,0000,,the keys that they used. Dialogue: 0,0:12:55.16,0:12:56.56,Default,,0000,0000,0000,,So, as long as Alice and Bob Dialogue: 0,0:12:56.56,0:12:59.97,Default,,0000,0000,0000,,are generating fresh random\Nvalues every time, Dialogue: 0,0:12:59.97,0:13:01.28,Default,,0000,0000,0000,,those values should reveal nothing Dialogue: 0,0:13:01.28,0:13:04.72,Default,,0000,0000,0000,,about past or future communications. Dialogue: 0,0:13:04.72,0:13:07.32,Default,,0000,0000,0000,,So, that's perfect forward secrecy. Dialogue: 0,0:13:07.32,0:13:09.47,Default,,0000,0000,0000,,And, a lot of people have, Dialogue: 0,0:13:09.47,0:13:11.09,Default,,0000,0000,0000,,who really know what\Nthey're talking about, Dialogue: 0,0:13:11.09,0:13:13.04,Default,,0000,0000,0000,,including, unfortunately, me, Dialogue: 0,0:13:13.04,0:13:15.08,Default,,0000,0000,0000,,on this stage a couple years ago, Dialogue: 0,0:13:15.08,0:13:19.92,Default,,0000,0000,0000,,have said, "you guys should always use\NDiffie-Hellman over RSA key exchange Dialogue: 0,0:13:19.92,0:13:22.59,Default,,0000,0000,0000,,because of this property of\Nperfect forward secrecy". Dialogue: 0,0:13:22.59,0:13:24.67,Default,,0000,0000,0000,,So here's a selection of quotes Dialogue: 0,0:13:24.67,0:13:25.94,Default,,0000,0000,0000,,that I found on the Internet, Dialogue: 0,0:13:25.94,0:13:27.63,Default,,0000,0000,0000,,just from googling\N"perfect forward secrecy" Dialogue: 0,0:13:27.63,0:13:29.03,Default,,0000,0000,0000,,and "Diffie-Hellman key exchange", Dialogue: 0,0:13:29.03,0:13:30.84,Default,,0000,0000,0000,,and you find people saying that Dialogue: 0,0:13:30.84,0:13:33.10,Default,,0000,0000,0000,,this provides better security, Dialogue: 0,0:13:33.10,0:13:35.70,Default,,0000,0000,0000,,the NSA can decrypt nothing, Dialogue: 0,0:13:35.70,0:13:40.59,Default,,0000,0000,0000,,1024-bit Diffie-Hellman is arguably\Nbetter than 1024-bit RSA, Dialogue: 0,0:13:40.59,0:13:45.83,Default,,0000,0000,0000,,and then 1024-bit Diffie-Hellman\Nis better than any key size for RSA. Dialogue: 0,0:13:45.83,0:13:47.87,Default,,0000,0000,0000,,This is a selection of friends Dialogue: 0,0:13:47.87,0:13:49.30,Default,,0000,0000,0000,,and people I respect, Dialogue: 0,0:13:49.30,0:13:52.50,Default,,0000,0000,0000,,and some also, also some\Nrandom people on Stack Overflow, Dialogue: 0,0:13:52.50,0:13:53.100,Default,,0000,0000,0000,,which is where... Dialogue: 0,0:13:53.100,0:13:55.18,Default,,0000,0000,0000,,{\i1}laughter{\i0} Dialogue: 0,0:13:55.18,0:13:56.15,Default,,0000,0000,0000,,where we know everybody's actually Dialogue: 0,0:13:56.15,0:13:58.27,Default,,0000,0000,0000,,getting their recommendations from. Dialogue: 0,0:13:58.27,0:14:00.98,Default,,0000,0000,0000,,So, there's been wide-scale advocacy Dialogue: 0,0:14:00.98,0:14:03.42,Default,,0000,0000,0000,,of perfect forward secrecy as Dialogue: 0,0:14:03.42,0:14:05.64,Default,,0000,0000,0000,,like, the reason that you should\Nuse Diffie-Hellman. Dialogue: 0,0:14:05.64,0:14:09.15,Default,,0000,0000,0000,,It will protect you against the NSA. Dialogue: 0,0:14:09.15,0:14:13.05,Default,,0000,0000,0000,,I'm sorry. We were wrong. Dialogue: 0,0:14:13.05,0:14:14.23,Default,,0000,0000,0000,,And, why were we wrong? Dialogue: 0,0:14:14.23,0:14:15.34,Default,,0000,0000,0000,,I'm going to tell little bit more Dialogue: 0,0:14:15.34,0:14:17.20,Default,,0000,0000,0000,,about what the cryptanalysis looks like Dialogue: 0,0:14:17.20,0:14:18.38,Default,,0000,0000,0000,,for Diffie-Hellman. Dialogue: 0,0:14:18.38,0:14:21.67,Default,,0000,0000,0000,,So, the underlying problem\Nthat we hope is hard Dialogue: 0,0:14:21.67,0:14:22.78,Default,,0000,0000,0000,,for the security of Diffie-Hellman Dialogue: 0,0:14:22.78,0:14:24.11,Default,,0000,0000,0000,,is called discrete log, Dialogue: 0,0:14:24.11,0:14:26.63,Default,,0000,0000,0000,,it is exactly sort of the problem of Dialogue: 0,0:14:26.63,0:14:30.16,Default,,0000,0000,0000,,given one of the key exchange values g^a mod p Dialogue: 0,0:14:30.16,0:14:33.06,Default,,0000,0000,0000,,compute, say, Alice's secret a. Dialogue: 0,0:14:33.06,0:14:34.47,Default,,0000,0000,0000,,This would allow the attacker Dialogue: 0,0:14:34.47,0:14:35.58,Default,,0000,0000,0000,,to compute the shared secret Dialogue: 0,0:14:35.58,0:14:39.05,Default,,0000,0000,0000,,in the same way that Alice did. Dialogue: 0,0:14:39.05,0:14:42.95,Default,,0000,0000,0000,,And, sort of similar to\Nfactoring and multiplication, Dialogue: 0,0:14:42.95,0:14:44.54,Default,,0000,0000,0000,,discrete log, we think it's much harder Dialogue: 0,0:14:44.54,0:14:46.55,Default,,0000,0000,0000,,than modular exponentiation, Dialogue: 0,0:14:46.55,0:14:48.42,Default,,0000,0000,0000,,the computation that actually Dialogue: 0,0:14:48.42,0:14:50.52,Default,,0000,0000,0000,,gives you the value g^a mod p. Dialogue: 0,0:14:50.52,0:14:52.81,Default,,0000,0000,0000,,And the best algorithm that we have Dialogue: 0,0:14:52.81,0:14:54.72,Default,,0000,0000,0000,,is called the number field sieve. Dialogue: 0,0:14:54.72,0:14:58.05,Default,,0000,0000,0000,,So, there's a lot of parallels going on here. Dialogue: 0,0:14:58.05,0:14:59.26,Default,,0000,0000,0000,,So what does the number field sieve Dialogue: 0,0:14:59.26,0:15:00.94,Default,,0000,0000,0000,,for discrete log look like? Dialogue: 0,0:15:00.94,0:15:05.03,Default,,0000,0000,0000,,Hopefully this diagram is somewhat\Nfamiliar to you by now, Dialogue: 0,0:15:05.03,0:15:06.60,Default,,0000,0000,0000,,it's a multi-stage algorithm, Dialogue: 0,0:15:06.60,0:15:10.49,Default,,0000,0000,0000,,it has many of the same\Nstages as factoring, Dialogue: 0,0:15:10.49,0:15:12.70,Default,,0000,0000,0000,,you can sort of line them up in parallel, Dialogue: 0,0:15:12.70,0:15:14.95,Default,,0000,0000,0000,,the last bit looks a little bit different, Dialogue: 0,0:15:14.95,0:15:17.09,Default,,0000,0000,0000,,but we can sort of ignore that\Nfor the moment. Dialogue: 0,0:15:17.09,0:15:20.16,Default,,0000,0000,0000,,Okay. So, we have some pictures Dialogue: 0,0:15:20.16,0:15:22.83,Default,,0000,0000,0000,,of what the number field sieve looks like. Dialogue: 0,0:15:22.83,0:15:24.70,Default,,0000,0000,0000,,How long does it take? Dialogue: 0,0:15:24.70,0:15:28.72,Default,,0000,0000,0000,,Answer number 1:\NThe same answer as factoring. Dialogue: 0,0:15:28.72,0:15:31.38,Default,,0000,0000,0000,,In case you didn't remember,\Nhere it is again. Dialogue: 0,0:15:31.38,0:15:33.42,Default,,0000,0000,0000,,This is kind of why everybody\Nhas been saying Dialogue: 0,0:15:33.42,0:15:35.26,Default,,0000,0000,0000,,"Okay, the security of, you know, Dialogue: 0,0:15:35.26,0:15:36.83,Default,,0000,0000,0000,,1024-bit Diffie-Hellman key exchange Dialogue: 0,0:15:36.83,0:15:38.96,Default,,0000,0000,0000,,is about the same as the security of Dialogue: 0,0:15:38.96,0:15:41.06,Default,,0000,0000,0000,,a 1024-bit RSA key." Dialogue: 0,0:15:41.06,0:15:44.81,Default,,0000,0000,0000,,It's because we have the same\Ncomplicated formula that tells us Dialogue: 0,0:15:44.81,0:15:47.73,Default,,0000,0000,0000,,how hard it is to break. Dialogue: 0,0:15:47.73,0:15:49.78,Default,,0000,0000,0000,,The sort of more subtle answer for... Dialogue: 0,0:15:49.78,0:15:51.70,Default,,0000,0000,0000,,or, not more subtle,\Nbut the more practical answer Dialogue: 0,0:15:51.70,0:15:53.07,Default,,0000,0000,0000,,for, how secure is it, Dialogue: 0,0:15:53.07,0:15:55.77,Default,,0000,0000,0000,,is, we can say, well, how long do we think Dialogue: 0,0:15:55.77,0:15:56.96,Default,,0000,0000,0000,,it will take to actually compute Dialogue: 0,0:15:56.96,0:15:59.91,Default,,0000,0000,0000,,a discrete log for\Ncommonly used key sizes, Dialogue: 0,0:15:59.91,0:16:01.09,Default,,0000,0000,0000,,and the answer is, Dialogue: 0,0:16:01.09,0:16:04.60,Default,,0000,0000,0000,,slightly longer than factoring an\NRSA key of equivalent size, Dialogue: 0,0:16:04.60,0:16:09.48,Default,,0000,0000,0000,,but, not so much longer than an RSA key. Dialogue: 0,0:16:09.48,0:16:12.16,Default,,0000,0000,0000,,And, the minimum recommended key size Dialogue: 0,0:16:12.16,0:16:14.76,Default,,0000,0000,0000,,today is 2048 bits. Dialogue: 0,0:16:14.76,0:16:18.02,Default,,0000,0000,0000,,Okay, so, 2048-bit Diffie-Hellman, Dialogue: 0,0:16:18.02,0:16:22.22,Default,,0000,0000,0000,,we're good. Great! We can all go home. Dialogue: 0,0:16:22.22,0:16:24.50,Default,,0000,0000,0000,,Okay. However, okay, Dialogue: 0,0:16:24.50,0:16:26.35,Default,,0000,0000,0000,,what if you want to break many connections Dialogue: 0,0:16:26.35,0:16:28.83,Default,,0000,0000,0000,,that use the same public parameter p? Dialogue: 0,0:16:28.83,0:16:30.75,Default,,0000,0000,0000,,Do you have to go through Dialogue: 0,0:16:30.75,0:16:33.57,Default,,0000,0000,0000,,this whole computation, Dialogue: 0,0:16:33.57,0:16:35.27,Default,,0000,0000,0000,,every single, for every single connection Dialogue: 0,0:16:35.27,0:16:36.57,Default,,0000,0000,0000,,that you want to break? Dialogue: 0,0:16:36.57,0:16:41.10,Default,,0000,0000,0000,,That was kind of the justification Dialogue: 0,0:16:41.10,0:16:42.55,Default,,0000,0000,0000,,for perfect forward secrecy, Dialogue: 0,0:16:42.55,0:16:43.95,Default,,0000,0000,0000,,that every single connection Dialogue: 0,0:16:43.95,0:16:45.92,Default,,0000,0000,0000,,should be as hard as factoring an RSA key Dialogue: 0,0:16:45.92,0:16:48.26,Default,,0000,0000,0000,,of the equivalent size. Dialogue: 0,0:16:48.26,0:16:50.49,Default,,0000,0000,0000,,Except that's not quite the case. Dialogue: 0,0:16:50.49,0:16:51.85,Default,,0000,0000,0000,,Because if you look at where Dialogue: 0,0:16:51.85,0:16:54.36,Default,,0000,0000,0000,,the actual target that\Nwe're trying to compute Dialogue: 0,0:16:54.36,0:16:56.73,Default,,0000,0000,0000,,appears in this plot, Dialogue: 0,0:16:56.73,0:16:58.62,Default,,0000,0000,0000,,it's only at the very last stage. Dialogue: 0,0:16:58.62,0:17:00.41,Default,,0000,0000,0000,,So all of this only depends Dialogue: 0,0:17:00.41,0:17:01.98,Default,,0000,0000,0000,,on the prime p. Dialogue: 0,0:17:01.98,0:17:05.72,Default,,0000,0000,0000,,So we can actually divide up\Nthe algorithm in two pieces: Dialogue: 0,0:17:05.72,0:17:09.58,Default,,0000,0000,0000,,A few stages that depend only\Non the prime p that we're using, Dialogue: 0,0:17:09.58,0:17:11.64,Default,,0000,0000,0000,,and then the final computation Dialogue: 0,0:17:11.64,0:17:14.48,Default,,0000,0000,0000,,that takes the output of this\Nfirst precomputation stage, Dialogue: 0,0:17:14.48,0:17:15.52,Default,,0000,0000,0000,,and that's the only stage Dialogue: 0,0:17:15.52,0:17:17.28,Default,,0000,0000,0000,,that actually matters, Dialogue: 0,0:17:17.28,0:17:19.45,Default,,0000,0000,0000,,that actually depends on the target Dialogue: 0,0:17:19.45,0:17:22.61,Default,,0000,0000,0000,,of our discrete log computation. Dialogue: 0,0:17:22.61,0:17:27.46,Default,,0000,0000,0000,,So, we're in trouble. Dialogue: 0,0:17:27.46,0:17:29.55,Default,,0000,0000,0000,,In particular, that means that Dialogue: 0,0:17:29.55,0:17:33.39,Default,,0000,0000,0000,,if many connections are using\Nthis same prime p, Dialogue: 0,0:17:33.39,0:17:35.65,Default,,0000,0000,0000,,you can do the precomputation once, Dialogue: 0,0:17:35.65,0:17:37.47,Default,,0000,0000,0000,,spend a huge amount of effort, Dialogue: 0,0:17:37.47,0:17:39.49,Default,,0000,0000,0000,,and then the actual effort required Dialogue: 0,0:17:39.49,0:17:43.26,Default,,0000,0000,0000,,to break individual connections\Nusing those primes Dialogue: 0,0:17:43.26,0:17:46.06,Default,,0000,0000,0000,,is much, much smaller. Dialogue: 0,0:17:46.06,0:17:48.30,Default,,0000,0000,0000,,So here's our current estimates, Dialogue: 0,0:17:48.30,0:17:50.43,Default,,0000,0000,0000,,these are actually somewhat new\Nfrom our paper, Dialogue: 0,0:17:50.43,0:17:54.12,Default,,0000,0000,0000,,of how long the individual log stage\Ntakes in practice, Dialogue: 0,0:17:54.12,0:17:55.81,Default,,0000,0000,0000,,if you push the primer as far as you can Dialogue: 0,0:17:55.81,0:17:57.68,Default,,0000,0000,0000,,to make this as fast as possible. Dialogue: 0,0:17:57.68,0:17:59.33,Default,,0000,0000,0000,,And the answer is basically, Dialogue: 0,0:17:59.33,0:18:01.81,Default,,0000,0000,0000,,if you're worried about a government, Dialogue: 0,0:18:01.81,0:18:03.54,Default,,0000,0000,0000,,you better start worrying Dialogue: 0,0:18:03.54,0:18:08.65,Default,,0000,0000,0000,,for reasonable key sizes\Nthat people are using. Dialogue: 0,0:18:08.65,0:18:11.38,Default,,0000,0000,0000,,See, so I'll let Alex continue Dialogue: 0,0:18:11.38,0:18:14.52,Default,,0000,0000,0000,,with the next part of our talk. Dialogue: 0,0:18:14.52,0:18:21.80,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:18:21.80,0:18:24.83,Default,,0000,0000,0000,,So this fact that Nadia just told us Dialogue: 0,0:18:24.83,0:18:27.29,Default,,0000,0000,0000,,about Diffie-Hellman Dialogue: 0,0:18:27.29,0:18:29.15,Default,,0000,0000,0000,,and the number field sieve, Dialogue: 0,0:18:29.15,0:18:33.60,Default,,0000,0000,0000,,this was something that the\Nmathematical crypto people knew about, Dialogue: 0,0:18:33.60,0:18:35.97,Default,,0000,0000,0000,,but most of us who did system security, Dialogue: 0,0:18:35.97,0:18:37.61,Default,,0000,0000,0000,,people like me, Dialogue: 0,0:18:37.61,0:18:40.03,Default,,0000,0000,0000,,didn't ever get the memo. Dialogue: 0,0:18:40.03,0:18:43.88,Default,,0000,0000,0000,,So, it's, I'm here in part to apologise Dialogue: 0,0:18:43.88,0:18:45.29,Default,,0000,0000,0000,,to everyone I've taught Dialogue: 0,0:18:45.29,0:18:48.29,Default,,0000,0000,0000,,about Diffie-Hellman and cryptanalysis Dialogue: 0,0:18:48.29,0:18:50.01,Default,,0000,0000,0000,,who didn't get to hear about this, Dialogue: 0,0:18:50.01,0:18:51.00,Default,,0000,0000,0000,,as we were talking about Dialogue: 0,0:18:51.00,0:18:52.49,Default,,0000,0000,0000,,perfect forward secrecy. Dialogue: 0,0:18:52.49,0:18:54.84,Default,,0000,0000,0000,,Right, this fact about the cryptanalysis Dialogue: 0,0:18:54.84,0:18:56.91,Default,,0000,0000,0000,,and how well it can apply in exactly Dialogue: 0,0:18:56.91,0:18:58.67,Default,,0000,0000,0000,,the scenario that we're worried about, Dialogue: 0,0:18:58.67,0:19:02.09,Default,,0000,0000,0000,,this kind of situation\Ninvolving mass surveillance, Dialogue: 0,0:19:02.09,0:19:04.67,Default,,0000,0000,0000,,was news to many of those. Dialogue: 0,0:19:04.67,0:19:06.32,Default,,0000,0000,0000,,But now that we have that fact, Dialogue: 0,0:19:06.32,0:19:08.04,Default,,0000,0000,0000,,how can we exploit it, Dialogue: 0,0:19:08.04,0:19:09.87,Default,,0000,0000,0000,,to try to break Diffie-Hellman, Dialogue: 0,0:19:09.87,0:19:12.08,Default,,0000,0000,0000,,in scenarios that we all care about? Dialogue: 0,0:19:12.08,0:19:13.02,Default,,0000,0000,0000,,And we're going to talk about Dialogue: 0,0:19:13.02,0:19:15.96,Default,,0000,0000,0000,,two scenarios in the talk today. Dialogue: 0,0:19:15.96,0:19:19.13,Default,,0000,0000,0000,,The first one applies to HTTPS, Dialogue: 0,0:19:19.13,0:19:21.72,Default,,0000,0000,0000,,to encrypted web connections, Dialogue: 0,0:19:21.72,0:19:24.96,Default,,0000,0000,0000,,and it applies not only\Nto government agencies, Dialogue: 0,0:19:24.96,0:19:27.75,Default,,0000,0000,0000,,but also just to normal\Neveryday attackers, Dialogue: 0,0:19:27.75,0:19:29.02,Default,,0000,0000,0000,,with maybe the same resources Dialogue: 0,0:19:29.02,0:19:31.03,Default,,0000,0000,0000,,that you or I have. Dialogue: 0,0:19:31.03,0:19:35.28,Default,,0000,0000,0000,,Right, this is a down-to-earth\Nkind of attack on HTTPS, Dialogue: 0,0:19:35.28,0:19:37.63,Default,,0000,0000,0000,,and we call it Logjam. Dialogue: 0,0:19:37.63,0:19:39.87,Default,,0000,0000,0000,,Logjam allows us to break Dialogue: 0,0:19:39.87,0:19:41.74,Default,,0000,0000,0000,,the HTTPS connections Dialogue: 0,0:19:41.74,0:19:44.07,Default,,0000,0000,0000,,to many, many popular websites Dialogue: 0,0:19:44.07,0:19:45.80,Default,,0000,0000,0000,,in modern browsers, Dialogue: 0,0:19:45.80,0:19:48.61,Default,,0000,0000,0000,,by fooling those browsers into using Dialogue: 0,0:19:48.61,0:19:53.31,Default,,0000,0000,0000,,1990s-era backdoored crypto. Dialogue: 0,0:19:53.31,0:19:55.68,Default,,0000,0000,0000,,So where does this backdoored\Ncrypto come from? Dialogue: 0,0:19:55.68,0:19:57.65,Default,,0000,0000,0000,,This is from the first crypto wars, Dialogue: 0,0:19:57.65,0:19:59.04,Default,,0000,0000,0000,,back in the 90s, Dialogue: 0,0:19:59.04,0:20:01.33,Default,,0000,0000,0000,,when my country, the US, Dialogue: 0,0:20:01.33,0:20:04.11,Default,,0000,0000,0000,,had restrictions on what kind and strength Dialogue: 0,0:20:04.11,0:20:06.68,Default,,0000,0000,0000,,of cryptography could be exported, Dialogue: 0,0:20:06.68,0:20:08.69,Default,,0000,0000,0000,,and used by people abroad. Dialogue: 0,0:20:08.69,0:20:10.58,Default,,0000,0000,0000,,So US companies were prohibited Dialogue: 0,0:20:10.58,0:20:12.57,Default,,0000,0000,0000,,from exporting products that contained Dialogue: 0,0:20:12.57,0:20:15.96,Default,,0000,0000,0000,,cryptography that had greater\Nthan a certain strength. Dialogue: 0,0:20:15.96,0:20:18.02,Default,,0000,0000,0000,,For RSA, that was that the key size Dialogue: 0,0:20:18.02,0:20:21.25,Default,,0000,0000,0000,,had to be less than or equal to 512 bits, Dialogue: 0,0:20:21.25,0:20:22.84,Default,,0000,0000,0000,,and for Diffie-Hellman it was that Dialogue: 0,0:20:22.84,0:20:27.40,Default,,0000,0000,0000,,basically the prime had to be\N512 bits or less. Dialogue: 0,0:20:27.40,0:20:28.54,Default,,0000,0000,0000,,So back in the 90s, Dialogue: 0,0:20:28.54,0:20:29.97,Default,,0000,0000,0000,,these were constants, Dialogue: 0,0:20:29.97,0:20:31.38,Default,,0000,0000,0000,,these were strengths of crypto Dialogue: 0,0:20:31.38,0:20:33.73,Default,,0000,0000,0000,,that were chosen presumably because Dialogue: 0,0:20:33.73,0:20:37.74,Default,,0000,0000,0000,,they were easy for NSA to break. Dialogue: 0,0:20:37.74,0:20:39.69,Default,,0000,0000,0000,,So, if you were an American company Dialogue: 0,0:20:39.69,0:20:42.17,Default,,0000,0000,0000,,making products, like let's say Dialogue: 0,0:20:42.17,0:20:44.83,Default,,0000,0000,0000,,Netscape Navigator, the web browser Dialogue: 0,0:20:44.83,0:20:50.98,Default,,0000,0000,0000,,that initiated the first SSL protocol, Dialogue: 0,0:20:50.98,0:20:53.00,Default,,0000,0000,0000,,you needed some way to be able Dialogue: 0,0:20:53.00,0:20:54.98,Default,,0000,0000,0000,,to communicate with, Dialogue: 0,0:20:54.98,0:20:56.92,Default,,0000,0000,0000,,from servers in the US, Dialogue: 0,0:20:56.92,0:20:59.36,Default,,0000,0000,0000,,to clients, including your own browser, Dialogue: 0,0:20:59.36,0:21:01.07,Default,,0000,0000,0000,,that you would ship to people abroad, Dialogue: 0,0:21:01.07,0:21:03.12,Default,,0000,0000,0000,,say, here in Germany. Dialogue: 0,0:21:03.12,0:21:04.87,Default,,0000,0000,0000,,And so they came up with a way Dialogue: 0,0:21:04.87,0:21:10.66,Default,,0000,0000,0000,,to use, to have HTTPS automatically select Dialogue: 0,0:21:10.66,0:21:12.88,Default,,0000,0000,0000,,the appropriate key strength Dialogue: 0,0:21:12.88,0:21:14.43,Default,,0000,0000,0000,,depending on whether the browser Dialogue: 0,0:21:14.43,0:21:17.47,Default,,0000,0000,0000,,was able to support\Nthe full-strength cryptography, Dialogue: 0,0:21:17.47,0:21:18.74,Default,,0000,0000,0000,,or the weakened version Dialogue: 0,0:21:18.74,0:21:20.53,Default,,0000,0000,0000,,for deployment abroad. Dialogue: 0,0:21:20.53,0:21:22.29,Default,,0000,0000,0000,,And the way that they did that Dialogue: 0,0:21:22.29,0:21:23.35,Default,,0000,0000,0000,,was something called Dialogue: 0,0:21:23.35,0:21:26.21,Default,,0000,0000,0000,,export-grade cipher suites. Dialogue: 0,0:21:26.21,0:21:27.09,Default,,0000,0000,0000,,So when your browser, Dialogue: 0,0:21:27.09,0:21:29.08,Default,,0000,0000,0000,,whenever it starts a TLS connection Dialogue: 0,0:21:29.08,0:21:31.38,Default,,0000,0000,0000,,for an HTTPS URL, Dialogue: 0,0:21:31.38,0:21:32.80,Default,,0000,0000,0000,,one of the first thing that it does Dialogue: 0,0:21:32.80,0:21:35.54,Default,,0000,0000,0000,,is, the browser will send to the server Dialogue: 0,0:21:35.54,0:21:37.48,Default,,0000,0000,0000,,a list of the kinds of cryptography Dialogue: 0,0:21:37.48,0:21:38.93,Default,,0000,0000,0000,,that it can speak, Dialogue: 0,0:21:38.93,0:21:40.95,Default,,0000,0000,0000,,these are called cipher suites, Dialogue: 0,0:21:40.95,0:21:44.15,Default,,0000,0000,0000,,and then the server selects one of those, Dialogue: 0,0:21:44.15,0:21:46.24,Default,,0000,0000,0000,,that is compatible with\Nwhatever cryptography Dialogue: 0,0:21:46.24,0:21:48.19,Default,,0000,0000,0000,,the server has available, Dialogue: 0,0:21:48.19,0:21:50.45,Default,,0000,0000,0000,,and then that negotiated cipher suite Dialogue: 0,0:21:50.45,0:21:53.54,Default,,0000,0000,0000,,is what's used for the connection. Dialogue: 0,0:21:53.54,0:21:55.21,Default,,0000,0000,0000,,Now the way that they supported Dialogue: 0,0:21:55.21,0:21:57.89,Default,,0000,0000,0000,,the 90s-era backdoor crypto Dialogue: 0,0:21:57.89,0:22:01.38,Default,,0000,0000,0000,,was by having browsers shipped abroad Dialogue: 0,0:22:01.38,0:22:03.37,Default,,0000,0000,0000,,from the United States that could only Dialogue: 0,0:22:03.37,0:22:06.14,Default,,0000,0000,0000,,speak a certain subset\Nof crypto algorithms, Dialogue: 0,0:22:06.14,0:22:07.52,Default,,0000,0000,0000,,that were limited in strength Dialogue: 0,0:22:07.52,0:22:09.88,Default,,0000,0000,0000,,to 512 bits or less, Dialogue: 0,0:22:09.88,0:22:11.73,Default,,0000,0000,0000,,those were the export-grade cipher suites Dialogue: 0,0:22:11.73,0:22:13.87,Default,,0000,0000,0000,,with the names you see here. Dialogue: 0,0:22:13.87,0:22:18.93,Default,,0000,0000,0000,,Now, even though no\Nbrowser has been shipped Dialogue: 0,0:22:18.93,0:22:21.74,Default,,0000,0000,0000,,that is limited to only these suites, Dialogue: 0,0:22:21.74,0:22:24.34,Default,,0000,0000,0000,,since probably 2000-sometime, Dialogue: 0,0:22:24.34,0:22:27.52,Default,,0000,0000,0000,,when the US relaxed\Nits export regulations, Dialogue: 0,0:22:27.52,0:22:29.44,Default,,0000,0000,0000,,there wasn't just any one day Dialogue: 0,0:22:29.44,0:22:33.06,Default,,0000,0000,0000,,when all of those old browsers Dialogue: 0,0:22:33.06,0:22:35.49,Default,,0000,0000,0000,,from before that era went away. Dialogue: 0,0:22:35.49,0:22:38.83,Default,,0000,0000,0000,,So, servers, even now, many servers Dialogue: 0,0:22:38.83,0:22:42.63,Default,,0000,0000,0000,,will still accept and speak\Nthese weakened cipher suites, Dialogue: 0,0:22:42.63,0:22:45.45,Default,,0000,0000,0000,,if that's all the browser has available. Dialogue: 0,0:22:45.45,0:22:47.55,Default,,0000,0000,0000,,Like if you're running an e-commerce site, Dialogue: 0,0:22:47.55,0:22:49.76,Default,,0000,0000,0000,,right, I'm sure you still want to be able Dialogue: 0,0:22:49.76,0:22:51.43,Default,,0000,0000,0000,,to speak to any customers Dialogue: 0,0:22:51.43,0:22:54.67,Default,,0000,0000,0000,,who have 1998-era\NNetspace Navigator involved, Dialogue: 0,0:22:54.67,0:22:57.03,Default,,0000,0000,0000,,otherwise you'd lose some sales, right? Dialogue: 0,0:22:57.03,0:22:59.01,Default,,0000,0000,0000,,So there was no reason to turn them off, Dialogue: 0,0:22:59.01,0:23:02.05,Default,,0000,0000,0000,,because no modern browser any more, Dialogue: 0,0:23:02.05,0:23:03.90,Default,,0000,0000,0000,,now that those restrictions are lifted, Dialogue: 0,0:23:03.90,0:23:06.69,Default,,0000,0000,0000,,would choose these weakened suites. Dialogue: 0,0:23:06.69,0:23:09.45,Default,,0000,0000,0000,,Well, that's what we thought, anyway. Dialogue: 0,0:23:09.45,0:23:13.36,Default,,0000,0000,0000,,So, in, over this past year, Dialogue: 0,0:23:13.36,0:23:15.74,Default,,0000,0000,0000,,there were two attacks that exploited Dialogue: 0,0:23:15.74,0:23:17.29,Default,,0000,0000,0000,,these weakened cipher suites, Dialogue: 0,0:23:17.29,0:23:20.71,Default,,0000,0000,0000,,that found ways to convince\Nmodern browsers Dialogue: 0,0:23:20.71,0:23:23.99,Default,,0000,0000,0000,,to speak them instead of\Nfull-strength cryptography. Dialogue: 0,0:23:23.99,0:23:26.50,Default,,0000,0000,0000,,The first was the FREAK attack, Dialogue: 0,0:23:26.50,0:23:28.80,Default,,0000,0000,0000,,which was revealed in early 2015 Dialogue: 0,0:23:28.80,0:23:32.04,Default,,0000,0000,0000,,by a separate group of authors, Dialogue: 0,0:23:32.04,0:23:34.98,Default,,0000,0000,0000,,and the FREAK attack was\Nan implementation flaw Dialogue: 0,0:23:34.98,0:23:38.85,Default,,0000,0000,0000,,in many modern browsers. Dialogue: 0,0:23:38.85,0:23:40.37,Default,,0000,0000,0000,,In order to exploit it, Dialogue: 0,0:23:40.37,0:23:42.15,Default,,0000,0000,0000,,all you need to do is to be able Dialogue: 0,0:23:42.15,0:23:44.22,Default,,0000,0000,0000,,to relatively inexpensively Dialogue: 0,0:23:44.22,0:23:48.34,Default,,0000,0000,0000,,factor a 512-bit RSA key. Dialogue: 0,0:23:48.34,0:23:50.07,Default,,0000,0000,0000,,And, as Nadia has told you, Dialogue: 0,0:23:50.07,0:23:52.76,Default,,0000,0000,0000,,this is now a matter of maybe 4 hours, Dialogue: 0,0:23:52.76,0:23:55.25,Default,,0000,0000,0000,,maybe 75 dollars, something like that, Dialogue: 0,0:23:55.25,0:23:57.23,Default,,0000,0000,0000,,and if you did that, you'd able to break Dialogue: 0,0:23:57.23,0:23:59.64,Default,,0000,0000,0000,,all the connections coming into Dialogue: 0,0:23:59.64,0:24:01.92,Default,,0000,0000,0000,,a weak server for a long period of time, Dialogue: 0,0:24:01.92,0:24:06.15,Default,,0000,0000,0000,,to a server that still spoke\Nthese cipher suites. Dialogue: 0,0:24:06.15,0:24:08.03,Default,,0000,0000,0000,,So this affected most modern browsers, Dialogue: 0,0:24:08.03,0:24:14.44,Default,,0000,0000,0000,,and just shy of 10% of Alexa\Ntop million sites that speak HTTPS. Dialogue: 0,0:24:14.44,0:24:16.88,Default,,0000,0000,0000,,Now that left the Diffie-Hellman Dialogue: 0,0:24:16.88,0:24:18.65,Default,,0000,0000,0000,,export-grade cipher suites, Dialogue: 0,0:24:18.65,0:24:21.00,Default,,0000,0000,0000,,which were not affected by FREAK. Dialogue: 0,0:24:21.00,0:24:25.78,Default,,0000,0000,0000,,But we came up with a paper\Nin May of this year, Dialogue: 0,0:24:25.78,0:24:27.57,Default,,0000,0000,0000,,that showed a separate attack, Dialogue: 0,0:24:27.57,0:24:29.18,Default,,0000,0000,0000,,the Logjam attack, Dialogue: 0,0:24:29.18,0:24:32.00,Default,,0000,0000,0000,,which is a protocol flaw in TLS, Dialogue: 0,0:24:32.00,0:24:34.45,Default,,0000,0000,0000,,and affects all modern browsers, Dialogue: 0,0:24:34.45,0:24:38.37,Default,,0000,0000,0000,,and, similarly, allows you\Nto downgrade connections Dialogue: 0,0:24:38.37,0:24:40.58,Default,,0000,0000,0000,,to export-grade Diffie-Hellman, Dialogue: 0,0:24:40.58,0:24:43.01,Default,,0000,0000,0000,,and then intercept or modify the contents, Dialogue: 0,0:24:43.01,0:24:46.84,Default,,0000,0000,0000,,if the server speaks and still supports Dialogue: 0,0:24:46.84,0:24:50.84,Default,,0000,0000,0000,,these export-grade Diffie-Hellman\Ncipher suites. Dialogue: 0,0:24:50.84,0:24:52.29,Default,,0000,0000,0000,,So now let me give you Dialogue: 0,0:24:52.29,0:24:55.03,Default,,0000,0000,0000,,the hopefully brief technical overview Dialogue: 0,0:24:55.03,0:24:57.09,Default,,0000,0000,0000,,of how the Logjam attack works. Dialogue: 0,0:24:57.09,0:24:59.08,Default,,0000,0000,0000,,If you've been curious about this, Dialogue: 0,0:24:59.08,0:25:02.84,Default,,0000,0000,0000,,this is the chance to see it. Dialogue: 0,0:25:02.84,0:25:04.92,Default,,0000,0000,0000,,So, Logjam is a problem that happens Dialogue: 0,0:25:04.92,0:25:08.46,Default,,0000,0000,0000,,during the TLS connection handshake. Dialogue: 0,0:25:08.46,0:25:10.20,Default,,0000,0000,0000,,And the first thing that happens\Nin the handshake, Dialogue: 0,0:25:10.20,0:25:11.61,Default,,0000,0000,0000,,at the top of this diagram, Dialogue: 0,0:25:11.61,0:25:13.43,Default,,0000,0000,0000,,so this is just your browser connecting Dialogue: 0,0:25:13.43,0:25:16.60,Default,,0000,0000,0000,,to some website, some server\Nthere on the right, Dialogue: 0,0:25:16.60,0:25:19.58,Default,,0000,0000,0000,,maybe Alice connecting to\Nher favourite website here. Dialogue: 0,0:25:19.58,0:25:21.56,Default,,0000,0000,0000,,So the first stage is this client hello, Dialogue: 0,0:25:21.56,0:25:24.52,Default,,0000,0000,0000,,where, you know, a normal client\Nis going to say, Dialogue: 0,0:25:24.52,0:25:26.79,Default,,0000,0000,0000,,I speak various kinds of cryptography, Dialogue: 0,0:25:26.79,0:25:29.65,Default,,0000,0000,0000,,including full-strength Diffie-Hellman. Dialogue: 0,0:25:29.65,0:25:31.35,Default,,0000,0000,0000,,The server at that point is going to Dialogue: 0,0:25:31.35,0:25:35.72,Default,,0000,0000,0000,,respond by picking some cipher suite, Dialogue: 0,0:25:35.72,0:25:37.56,Default,,0000,0000,0000,,let's say Diffie-Hellman, Dialogue: 0,0:25:37.56,0:25:40.61,Default,,0000,0000,0000,,and then sending over\Nits certificate chain, Dialogue: 0,0:25:40.61,0:25:45.28,Default,,0000,0000,0000,,as well as its Diffie-Hellman\Npublic parameters, Dialogue: 0,0:25:45.28,0:25:47.99,Default,,0000,0000,0000,,p and g, the server gets to choose them, Dialogue: 0,0:25:47.99,0:25:49.26,Default,,0000,0000,0000,,as well as g^a. Dialogue: 0,0:25:49.26,0:25:50.82,Default,,0000,0000,0000,,And then it's going to use Dialogue: 0,0:25:50.82,0:25:54.76,Default,,0000,0000,0000,,its long-term RSA key that is the thing Dialogue: 0,0:25:54.76,0:25:56.81,Default,,0000,0000,0000,,that is signed in its certificate, Dialogue: 0,0:25:56.81,0:26:00.21,Default,,0000,0000,0000,,in order to make a signature on\Nthose Diffie-Hellman parameters. Dialogue: 0,0:26:00.21,0:26:02.13,Default,,0000,0000,0000,,Okay, then it's going to do... Dialogue: 0,0:26:02.13,0:26:05.39,Default,,0000,0000,0000,,complete the negotiation, and so on. Dialogue: 0,0:26:05.39,0:26:06.82,Default,,0000,0000,0000,,In the Logjam attack, Dialogue: 0,0:26:06.82,0:26:08.61,Default,,0000,0000,0000,,we have a man-in-the-middle attacker, Dialogue: 0,0:26:08.61,0:26:10.97,Default,,0000,0000,0000,,who's able to modify some\Nof these messages Dialogue: 0,0:26:10.97,0:26:13.03,Default,,0000,0000,0000,,as they're going by. Dialogue: 0,0:26:13.03,0:26:14.96,Default,,0000,0000,0000,,So the first thing the attacker does, Dialogue: 0,0:26:14.96,0:26:17.46,Default,,0000,0000,0000,,he modifies the client hello message, Dialogue: 0,0:26:17.46,0:26:19.71,Default,,0000,0000,0000,,to replace all of the different\Nkinds of cryptography Dialogue: 0,0:26:19.71,0:26:21.64,Default,,0000,0000,0000,,the client says it supports, Dialogue: 0,0:26:21.64,0:26:24.56,Default,,0000,0000,0000,,and just put in export-grade\NDiffie-Hellman. Dialogue: 0,0:26:24.56,0:26:27.24,Default,,0000,0000,0000,,Ah, the 90s are here again. Dialogue: 0,0:26:27.24,0:26:29.92,Default,,0000,0000,0000,,Alright, so then, you know, the server Dialogue: 0,0:26:29.92,0:26:32.79,Default,,0000,0000,0000,,will get that, and if the server supports Dialogue: 0,0:26:32.79,0:26:34.85,Default,,0000,0000,0000,,export-grade Diffie-Hellman, Dialogue: 0,0:26:34.85,0:26:39.18,Default,,0000,0000,0000,,as about 10% or so of servers Dialogue: 0,0:26:39.18,0:26:41.07,Default,,0000,0000,0000,,still support export grade Diffie-Hellman, Dialogue: 0,0:26:41.07,0:26:43.67,Default,,0000,0000,0000,,it's going to respond and say, Dialogue: 0,0:26:43.67,0:26:46.11,Default,,0000,0000,0000,,okay, that's what you asked for,\NI'll take it, Dialogue: 0,0:26:46.11,0:26:49.10,Default,,0000,0000,0000,,and it's going to send over its side Dialogue: 0,0:26:49.10,0:26:51.27,Default,,0000,0000,0000,,of the Diffie-Hellman key exchange, Dialogue: 0,0:26:51.27,0:26:54.17,Default,,0000,0000,0000,,but using a 512-bit prime, Dialogue: 0,0:26:54.17,0:26:56.55,Default,,0000,0000,0000,,because that's what is required under Dialogue: 0,0:26:56.55,0:26:59.50,Default,,0000,0000,0000,,these export-grade suites. Dialogue: 0,0:26:59.50,0:27:02.40,Default,,0000,0000,0000,,Now, at that point, the browser would Dialogue: 0,0:27:02.40,0:27:04.60,Default,,0000,0000,0000,,normally reject this message, Dialogue: 0,0:27:04.60,0:27:06.54,Default,,0000,0000,0000,,because it didn't ask for export-grade, Dialogue: 0,0:27:06.54,0:27:09.77,Default,,0000,0000,0000,,it really asked for full-strength, Dialogue: 0,0:27:09.77,0:27:11.54,Default,,0000,0000,0000,,so instead, the man in the middle has to Dialogue: 0,0:27:11.54,0:27:15.50,Default,,0000,0000,0000,,modify the server's hello message, Dialogue: 0,0:27:15.50,0:27:18.27,Default,,0000,0000,0000,,and say that this is full-strength\NDiffie-Hellman, Dialogue: 0,0:27:18.27,0:27:19.63,Default,,0000,0000,0000,,well, if it's full-strength, Dialogue: 0,0:27:19.63,0:27:22.97,Default,,0000,0000,0000,,why is it only a 512-bit prime\Nthat's being used? Dialogue: 0,0:27:22.97,0:27:25.78,Default,,0000,0000,0000,,Well, there's actually no limitation, Dialogue: 0,0:27:25.78,0:27:27.82,Default,,0000,0000,0000,,and no distinction between the messages Dialogue: 0,0:27:27.82,0:27:33.55,Default,,0000,0000,0000,,that the server would send\Nin that space with p and g, Dialogue: 0,0:27:33.55,0:27:35.98,Default,,0000,0000,0000,,that says normal-grade Diffie-Hellman Dialogue: 0,0:27:35.98,0:27:38.41,Default,,0000,0000,0000,,has to be more than 512 bits. Dialogue: 0,0:27:38.41,0:27:41.11,Default,,0000,0000,0000,,In fact we found a handful of real sites Dialogue: 0,0:27:41.11,0:27:43.48,Default,,0000,0000,0000,,that even for normal-strength \NDiffie-Hellman Dialogue: 0,0:27:43.48,0:27:48.54,Default,,0000,0000,0000,,just happened to use 512-bit\Nor even weaker cryptography. Dialogue: 0,0:27:48.54,0:27:50.96,Default,,0000,0000,0000,,So, as long as we modify\Nthis earlier message, Dialogue: 0,0:27:50.96,0:27:52.68,Default,,0000,0000,0000,,the server's hello message, Dialogue: 0,0:27:52.68,0:27:55.24,Default,,0000,0000,0000,,and make it say, "normal-strength\NDiffie-Hellman", Dialogue: 0,0:27:55.24,0:27:57.46,Default,,0000,0000,0000,,there's no way for the client to tell Dialogue: 0,0:27:57.46,0:27:59.42,Default,,0000,0000,0000,,from just the structure of the protocol, Dialogue: 0,0:27:59.42,0:28:01.46,Default,,0000,0000,0000,,that anything is amiss. Dialogue: 0,0:28:01.46,0:28:04.57,Default,,0000,0000,0000,,So, at this point, there is one last place Dialogue: 0,0:28:04.57,0:28:06.13,Default,,0000,0000,0000,,that we could catch the problem, Dialogue: 0,0:28:06.13,0:28:07.85,Default,,0000,0000,0000,,that the client or the server could see Dialogue: 0,0:28:07.85,0:28:09.67,Default,,0000,0000,0000,,that something's wrong, Dialogue: 0,0:28:09.67,0:28:12.80,Default,,0000,0000,0000,,which is that each side sends\Nthe other a finished message, Dialogue: 0,0:28:12.80,0:28:15.01,Default,,0000,0000,0000,,here at the end, Dialogue: 0,0:28:15.01,0:28:22.10,Default,,0000,0000,0000,,that says, basically, has, uses\Nthe session secrets Dialogue: 0,0:28:22.10,0:28:25.02,Default,,0000,0000,0000,,to add an authentication code Dialogue: 0,0:28:25.02,0:28:27.75,Default,,0000,0000,0000,,to a dialogue of all of the\Nprotocol messages Dialogue: 0,0:28:27.75,0:28:30.37,Default,,0000,0000,0000,,that match the handshake dialogue, Dialogue: 0,0:28:30.37,0:28:34.09,Default,,0000,0000,0000,,all the messages going back\Nin each direction so far Dialogue: 0,0:28:34.09,0:28:37.28,Default,,0000,0000,0000,,have to be the same from each side of you. Dialogue: 0,0:28:37.28,0:28:40.30,Default,,0000,0000,0000,,However, in our case, in Logjam, Dialogue: 0,0:28:40.30,0:28:43.17,Default,,0000,0000,0000,,the attacker is able to spoof\Nthese messages, Dialogue: 0,0:28:43.17,0:28:45.73,Default,,0000,0000,0000,,to make them look correct to each side. Dialogue: 0,0:28:45.73,0:28:48.37,Default,,0000,0000,0000,,He's able to modify that dialogue why? Dialogue: 0,0:28:48.37,0:28:52.90,Default,,0000,0000,0000,,Well, because we're using this\N512-bit Diffie-Hellman Dialogue: 0,0:28:52.90,0:28:58.15,Default,,0000,0000,0000,,that we know from using\Nthe number field sieve, Dialogue: 0,0:28:58.15,0:29:00.27,Default,,0000,0000,0000,,we are able to efficiently break. Dialogue: 0,0:29:00.27,0:29:02.73,Default,,0000,0000,0000,,So, if the attacker is able to quickly Dialogue: 0,0:29:02.73,0:29:03.99,Default,,0000,0000,0000,,perform the discrete log Dialogue: 0,0:29:03.99,0:29:08.56,Default,,0000,0000,0000,,on the Diffie-Hellman key exchange Dialogue: 0,0:29:08.56,0:29:11.43,Default,,0000,0000,0000,,that's going by at 512-bit strength, Dialogue: 0,0:29:11.43,0:29:14.61,Default,,0000,0000,0000,,then he can fix up the client\Nand server hello messages, Dialogue: 0,0:29:14.61,0:29:17.38,Default,,0000,0000,0000,,and neither side will notice\Nthat anything went wrong. Dialogue: 0,0:29:17.38,0:29:19.29,Default,,0000,0000,0000,,So that's Logjam in a nutshell. Dialogue: 0,0:29:19.29,0:29:21.79,Default,,0000,0000,0000,,I'm sorry, it's a little bit complicated. Dialogue: 0,0:29:21.79,0:29:24.68,Default,,0000,0000,0000,,So, how widely shared are Dialogue: 0,0:29:24.68,0:29:27.50,Default,,0000,0000,0000,,these Diffie-Hellman public parameters? Dialogue: 0,0:29:27.50,0:29:30.85,Default,,0000,0000,0000,,Well, we used Internet-wide\Nscanning to find out. Dialogue: 0,0:29:30.85,0:29:33.64,Default,,0000,0000,0000,,So, my group, we also made\Nsomething called zmap, Dialogue: 0,0:29:33.64,0:29:35.81,Default,,0000,0000,0000,,that I talked about here\Na couple of years ago, Dialogue: 0,0:29:35.81,0:29:39.01,Default,,0000,0000,0000,,which lets us quickly probe\Neverything on the Internet, Dialogue: 0,0:29:39.01,0:29:42.21,Default,,0000,0000,0000,,and so we did this and tried to make Dialogue: 0,0:29:42.21,0:29:44.48,Default,,0000,0000,0000,,connections to each HTTPS server Dialogue: 0,0:29:44.48,0:29:46.85,Default,,0000,0000,0000,,in the public IPv4 address space, Dialogue: 0,0:29:46.85,0:29:49.59,Default,,0000,0000,0000,,and found out what key exchange methods Dialogue: 0,0:29:49.59,0:29:52.28,Default,,0000,0000,0000,,were supported and with what primes. Dialogue: 0,0:29:52.28,0:29:56.12,Default,,0000,0000,0000,,And what we find is that 97% of hosts Dialogue: 0,0:29:56.12,0:29:58.47,Default,,0000,0000,0000,,that support export-grade Diffie-Hellman Dialogue: 0,0:29:58.47,0:30:01.13,Default,,0000,0000,0000,,use one of only 3 512-bit primes. Dialogue: 0,0:30:01.13,0:30:02.93,Default,,0000,0000,0000,,They're that widely-shared. Dialogue: 0,0:30:02.93,0:30:04.84,Default,,0000,0000,0000,,Why is this? Because those parameters Dialogue: 0,0:30:04.84,0:30:06.72,Default,,0000,0000,0000,,are very often either hard-coded Dialogue: 0,0:30:06.72,0:30:08.16,Default,,0000,0000,0000,,or encoded in standards Dialogue: 0,0:30:08.16,0:30:10.04,Default,,0000,0000,0000,,that different people implement. Dialogue: 0,0:30:10.04,0:30:11.68,Default,,0000,0000,0000,,The most common of these, Dialogue: 0,0:30:11.68,0:30:15.10,Default,,0000,0000,0000,,used by 80% of hosts that support\Nexport-grade Diffie-Hellman, Dialogue: 0,0:30:15.10,0:30:20.76,Default,,0000,0000,0000,,is a public parameter that's\Nhardcoded into Apache 2.2. Dialogue: 0,0:30:20.76,0:30:23.16,Default,,0000,0000,0000,,So, it's actually there,\Nembedded in the source, Dialogue: 0,0:30:23.16,0:30:26.10,Default,,0000,0000,0000,,you have to recompile Apache to change it. Dialogue: 0,0:30:26.10,0:30:28.50,Default,,0000,0000,0000,,13% of hosts supported something, Dialogue: 0,0:30:28.50,0:30:31.85,Default,,0000,0000,0000,,a second prime that has also 512 bits, Dialogue: 0,0:30:31.85,0:30:34.77,Default,,0000,0000,0000,,that's hardcoded in mod_ssl, Dialogue: 0,0:30:34.77,0:30:37.26,Default,,0000,0000,0000,,and the next most popular, 4%, Dialogue: 0,0:30:37.26,0:30:40.05,Default,,0000,0000,0000,,was in the Sun JDK. Dialogue: 0,0:30:40.05,0:30:43.27,Default,,0000,0000,0000,,Only 10 primes accounted for 99% Dialogue: 0,0:30:43.27,0:30:45.27,Default,,0000,0000,0000,,of all the hosts we found in\Nthe public address space Dialogue: 0,0:30:45.27,0:30:49.09,Default,,0000,0000,0000,,that supported export-grade\NDiffie-Hellman. Dialogue: 0,0:30:49.09,0:30:54.37,Default,,0000,0000,0000,,So, if we would like to compromise these, Dialogue: 0,0:30:54.37,0:30:56.90,Default,,0000,0000,0000,,well, Nadia just told you about Dialogue: 0,0:30:56.90,0:31:01.87,Default,,0000,0000,0000,,how long it takes to use\Nthe number field sieve Dialogue: 0,0:31:01.87,0:31:05.05,Default,,0000,0000,0000,,to break 512-bit discrete log, Dialogue: 0,0:31:05.05,0:31:08.48,Default,,0000,0000,0000,,well, we actually went and did\Nthe precomputation Dialogue: 0,0:31:08.48,0:31:13.14,Default,,0000,0000,0000,,for all 3 of these most widely used\NDiffie-Hellman primes, Dialogue: 0,0:31:13.14,0:31:18.76,Default,,0000,0000,0000,,and our colleagues who make a tool\Ncalled CADO-NFS Dialogue: 0,0:31:18.76,0:31:22.18,Default,,0000,0000,0000,,where able to implement the code Dialogue: 0,0:31:22.18,0:31:28.45,Default,,0000,0000,0000,,for that piece of the discrete log version\Nof the number field sieve Dialogue: 0,0:31:28.45,0:31:30.96,Default,,0000,0000,0000,,and they ran the algorithm on these primes Dialogue: 0,0:31:30.96,0:31:34.08,Default,,0000,0000,0000,,on a cluster they just happened\Nto have lying around, Dialogue: 0,0:31:34.08,0:31:37.80,Default,,0000,0000,0000,,it took about a week of time\Non the cluster Dialogue: 0,0:31:37.80,0:31:39.57,Default,,0000,0000,0000,,for each of these primes. Dialogue: 0,0:31:39.57,0:31:41.98,Default,,0000,0000,0000,,After which, using an optimised version Dialogue: 0,0:31:41.98,0:31:45.04,Default,,0000,0000,0000,,of the last portion of\Nthe number field sieve, Dialogue: 0,0:31:45.04,0:31:47.53,Default,,0000,0000,0000,,it takes about 70 seconds for us to break Dialogue: 0,0:31:47.53,0:31:49.47,Default,,0000,0000,0000,,any individual connection Dialogue: 0,0:31:49.47,0:31:54.33,Default,,0000,0000,0000,,that uses any one of these\N3 most popular primes. Dialogue: 0,0:31:54.33,0:31:57.09,Default,,0000,0000,0000,,So, Logjam and our precomputations Dialogue: 0,0:31:57.09,0:31:59.10,Default,,0000,0000,0000,,now allow us to break any connection Dialogue: 0,0:31:59.10,0:32:04.67,Default,,0000,0000,0000,,to about 8% of the top million\NHTTPS sites from Alexa Dialogue: 0,0:32:04.67,0:32:07.92,Default,,0000,0000,0000,,and when we came up with this attack, Dialogue: 0,0:32:07.92,0:32:10.95,Default,,0000,0000,0000,,it worked in all modern browsers. Dialogue: 0,0:32:10.95,0:32:12.53,Default,,0000,0000,0000,,So, mitigation! Dialogue: 0,0:32:12.53,0:32:19.28,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:32:19.28,0:32:21.77,Default,,0000,0000,0000,,This is bad, everyone, this is the crypto Dialogue: 0,0:32:21.77,0:32:24.74,Default,,0000,0000,0000,,all of us are using. Dialogue: 0,0:32:24.74,0:32:26.56,Default,,0000,0000,0000,,So we do have some mitigations. Dialogue: 0,0:32:26.56,0:32:28.34,Default,,0000,0000,0000,,This is the actual positive part, Dialogue: 0,0:32:28.34,0:32:29.84,Default,,0000,0000,0000,,is that the browser makers have now Dialogue: 0,0:32:29.84,0:32:32.90,Default,,0000,0000,0000,,started to increase the minimum strength Dialogue: 0,0:32:32.90,0:32:34.86,Default,,0000,0000,0000,,of Diffie-Hellman they will accept. Dialogue: 0,0:32:34.86,0:32:37.01,Default,,0000,0000,0000,,So IE, Chrome, and Firefox will reject Dialogue: 0,0:32:37.01,0:32:38.75,Default,,0000,0000,0000,,primes less than 1024 bits Dialogue: 0,0:32:38.75,0:32:41.20,Default,,0000,0000,0000,,and Safari less than 768. Dialogue: 0,0:32:41.20,0:32:43.98,Default,,0000,0000,0000,,And the new draft of TLS 1.3 is including Dialogue: 0,0:32:43.98,0:32:45.20,Default,,0000,0000,0000,,an anti-downgrade flag Dialogue: 0,0:32:45.20,0:32:46.69,Default,,0000,0000,0000,,that will make it even harder Dialogue: 0,0:32:46.69,0:32:49.75,Default,,0000,0000,0000,,for such attacks to take place\Nin the future. Dialogue: 0,0:32:49.75,0:32:52.14,Default,,0000,0000,0000,,Now back to Nadia. Dialogue: 0,0:32:52.14,0:32:54.24,Default,,0000,0000,0000,,NH: So we promised in our abstract... Dialogue: 0,0:32:54.24,0:32:59.60,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:32:59.60,0:33:02.19,Default,,0000,0000,0000,,...that there would be a hands-on\Nportion of this talk. Dialogue: 0,0:33:02.19,0:33:03.57,Default,,0000,0000,0000,,So, you have a couple options, Dialogue: 0,0:33:03.57,0:33:05.58,Default,,0000,0000,0000,,number 1 is, if you're really into this, Dialogue: 0,0:33:05.58,0:33:08.23,Default,,0000,0000,0000,,you can do and download\NCADO-NFS yourselves, Dialogue: 0,0:33:08.23,0:33:11.77,Default,,0000,0000,0000,,cado-nfs.gforge.inria.fr Dialogue: 0,0:33:11.77,0:33:16.44,Default,,0000,0000,0000,,and, you know, run\Ndiscrete log algorithms yourselves Dialogue: 0,0:33:16.44,0:33:17.79,Default,,0000,0000,0000,,for any prime you wish Dialogue: 0,0:33:17.79,0:33:20.03,Default,,0000,0000,0000,,and then you can compute\Narbitrary discrete logs. Dialogue: 0,0:33:20.03,0:33:21.70,Default,,0000,0000,0000,,However, since we have already done Dialogue: 0,0:33:21.70,0:33:22.82,Default,,0000,0000,0000,,some of the computations, Dialogue: 0,0:33:22.82,0:33:25.20,Default,,0000,0000,0000,,we figured that we would make\Nthem available for you guys Dialogue: 0,0:33:25.20,0:33:26.93,Default,,0000,0000,0000,,if you wanted to play with them. Dialogue: 0,0:33:26.93,0:33:32.59,Default,,0000,0000,0000,,So...\N{\i1}applause{\i0} Dialogue: 0,0:33:32.59,0:33:36.17,Default,,0000,0000,0000,,We have done so through the Twitter API, Dialogue: 0,0:33:36.17,0:33:39.15,Default,,0000,0000,0000,,so we have a bot running on Twitter Dialogue: 0,0:33:39.15,0:33:40.58,Default,,0000,0000,0000,,and if you would like to compute Dialogue: 0,0:33:40.58,0:33:45.11,Default,,0000,0000,0000,,discrete logs for any of these\Nwidely-used parameters, Dialogue: 0,0:33:45.11,0:33:48.24,Default,,0000,0000,0000,,this bot will do so for you. Dialogue: 0,0:33:48.24,0:33:52.91,Default,,0000,0000,0000,,So here is the group generator\Nand the primes in hexadecimal, Dialogue: 0,0:33:52.91,0:33:56.91,Default,,0000,0000,0000,,for the 3 groups that we\Ndid the precomputation for. Dialogue: 0,0:33:56.91,0:33:59.29,Default,,0000,0000,0000,,And if you wanted to test out, Dialogue: 0,0:33:59.29,0:34:00.59,Default,,0000,0000,0000,,you would do something like this, Dialogue: 0,0:34:00.59,0:34:01.81,Default,,0000,0000,0000,,so this using Sage, Dialogue: 0,0:34:01.81,0:34:04.91,Default,,0000,0000,0000,,which is a Python-based open source\Nmathematics package, Dialogue: 0,0:34:04.91,0:34:06.76,Default,,0000,0000,0000,,that does a lot of algebra\Nand number theory, Dialogue: 0,0:34:06.76,0:34:08.29,Default,,0000,0000,0000,,if you like playing with the stuff, Dialogue: 0,0:34:08.29,0:34:09.43,Default,,0000,0000,0000,,sage is super cool, Dialogue: 0,0:34:09.43,0:34:15.50,Default,,0000,0000,0000,,so, I said, say, my prime m\Nis this last value in hex there, Dialogue: 0,0:34:15.50,0:34:16.86,Default,,0000,0000,0000,,the mod_ssl prime, Dialogue: 0,0:34:16.86,0:34:23.78,Default,,0000,0000,0000,,then I take 2 and raise it to\Nthe 0x1337 power mod m, Dialogue: 0,0:34:23.78,0:34:26.19,Default,,0000,0000,0000,,and then I print it out in hexadecimal, Dialogue: 0,0:34:26.19,0:34:35.23,Default,,0000,0000,0000,,and I get this value, then I can\Ncopy-paste it into a tweet @DLogBot Dialogue: 0,0:34:35.23,0:34:39.05,Default,,0000,0000,0000,,then some comp stuff happens\Non our back end, Dialogue: 0,0:34:39.05,0:34:40.89,Default,,0000,0000,0000,,this is running on one of\Nthe machines in my lab, Dialogue: 0,0:34:40.89,0:34:43.53,Default,,0000,0000,0000,,so please don't break it, Dialogue: 0,0:34:43.53,0:34:46.55,Default,,0000,0000,0000,,and after a minute or two, Dialogue: 0,0:34:46.55,0:34:49.02,Default,,0000,0000,0000,,you should get back an answer. Dialogue: 0,0:34:49.02,0:34:58.31,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:34:58.31,0:35:01.52,Default,,0000,0000,0000,,So, there's a queue,\Nonly one thing can run at a time, Dialogue: 0,0:35:01.52,0:35:02.99,Default,,0000,0000,0000,,median time is 70 seconds, Dialogue: 0,0:35:02.99,0:35:06.26,Default,,0000,0000,0000,,it can vary between\N30 seconds and 3 minutes, Dialogue: 0,0:35:06.26,0:35:08.83,Default,,0000,0000,0000,,so, you know, if it doesn't respond to you Dialogue: 0,0:35:08.83,0:35:12.47,Default,,0000,0000,0000,,within like, you know, an hour\Nor something, Dialogue: 0,0:35:12.47,0:35:15.76,Default,,0000,0000,0000,,then send us a ping and we'll see\Nif it's still running. Dialogue: 0,0:35:15.76,0:35:18.30,Default,,0000,0000,0000,,Okay. So, have fun. Dialogue: 0,0:35:18.30,0:35:21.48,Default,,0000,0000,0000,,Please don't actually use this for malice. Dialogue: 0,0:35:21.48,0:35:27.54,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:35:27.54,0:35:30.23,Default,,0000,0000,0000,,We already have some satisfied customers. Dialogue: 0,0:35:30.23,0:35:33.97,Default,,0000,0000,0000,,{\i1}laughter{\i0} Dialogue: 0,0:35:33.97,0:35:35.79,Default,,0000,0000,0000,,AH: Alright, so we promised there were Dialogue: 0,0:35:35.79,0:35:39.40,Default,,0000,0000,0000,,two exploits that have to do with\Nweakened Diffie-Hellman, Dialogue: 0,0:35:39.40,0:35:41.75,Default,,0000,0000,0000,,and the first, Logjam, right, anyone can Dialogue: 0,0:35:41.75,0:35:43.41,Default,,0000,0000,0000,,use backdoors from the 90s Dialogue: 0,0:35:43.41,0:35:45.48,Default,,0000,0000,0000,,to pwn modern browsers, Dialogue: 0,0:35:45.48,0:35:49.20,Default,,0000,0000,0000,,well, the second one is\Na little bit more widespread. Dialogue: 0,0:35:49.20,0:35:50.81,Default,,0000,0000,0000,,So, we're going to talk about Dialogue: 0,0:35:50.81,0:35:53.33,Default,,0000,0000,0000,,how Diffie-Hellman weaknesses Dialogue: 0,0:35:53.33,0:35:56.15,Default,,0000,0000,0000,,can be used for mass surveillance. Dialogue: 0,0:35:56.15,0:35:58.28,Default,,0000,0000,0000,,We believe that governments can probably Dialogue: 0,0:35:58.28,0:36:03.28,Default,,0000,0000,0000,,already right now, exploit\N1024-bit discrete log Dialogue: 0,0:36:03.28,0:36:08.05,Default,,0000,0000,0000,,to break Diffie-Hellman for\Nwide-scale passive decryption Dialogue: 0,0:36:08.05,0:36:10.85,Default,,0000,0000,0000,,of Internet communications. Dialogue: 0,0:36:10.85,0:36:13.97,Default,,0000,0000,0000,,So, is breaking 1024-bit Diffie-Hellman Dialogue: 0,0:36:13.97,0:36:15.39,Default,,0000,0000,0000,,within the reach of governments, Dialogue: 0,0:36:15.39,0:36:17.97,Default,,0000,0000,0000,,let's look back at these numbers quickly. Dialogue: 0,0:36:17.97,0:36:22.30,Default,,0000,0000,0000,,So we can see that for 512-bit RSA\Nand Diffie-Hellman, Dialogue: 0,0:36:22.30,0:36:26.09,Default,,0000,0000,0000,,they're both really in reach of\Nbasically any effort right now, Dialogue: 0,0:36:26.09,0:36:27.67,Default,,0000,0000,0000,,any one of you can probably, Dialogue: 0,0:36:27.67,0:36:30.21,Default,,0000,0000,0000,,most of the resources to do this. Dialogue: 0,0:36:30.21,0:36:34.97,Default,,0000,0000,0000,,For 768-bit RSA or Diffie-Hellman, Dialogue: 0,0:36:34.97,0:36:37.46,Default,,0000,0000,0000,,well, we think this is now in the reach Dialogue: 0,0:36:37.46,0:36:41.33,Default,,0000,0000,0000,,of a concerted academic effort. Dialogue: 0,0:36:41.33,0:36:44.82,Default,,0000,0000,0000,,For 1024, it's a little bit\Nmore complicated, Dialogue: 0,0:36:44.82,0:36:46.71,Default,,0000,0000,0000,,because the number field sieve algorithm Dialogue: 0,0:36:46.71,0:36:48.09,Default,,0000,0000,0000,,is complicated enough that even Dialogue: 0,0:36:48.09,0:36:52.50,Default,,0000,0000,0000,,making estimates of the runtime\Nat this size and larger Dialogue: 0,0:36:52.50,0:36:54.69,Default,,0000,0000,0000,,is very, very complicated Dialogue: 0,0:36:54.69,0:36:58.20,Default,,0000,0000,0000,,and having a high-confidence estimate\Nis difficult. Dialogue: 0,0:36:58.20,0:37:01.26,Default,,0000,0000,0000,,But we've tried to do the math\Nconservatively, Dialogue: 0,0:37:01.26,0:37:03.49,Default,,0000,0000,0000,,and we believe that\Na conservative estimate, Dialogue: 0,0:37:03.49,0:37:05.92,Default,,0000,0000,0000,,at least for 1024-bit Diffie-Hellman Dialogue: 0,0:37:05.92,0:37:08.20,Default,,0000,0000,0000,,is to break, to do those precomputations Dialogue: 0,0:37:08.20,0:37:10.63,Default,,0000,0000,0000,,for a single prime p, Dialogue: 0,0:37:10.63,0:37:13.48,Default,,0000,0000,0000,,would take about 45 million core-years. Dialogue: 0,0:37:13.48,0:37:18.19,Default,,0000,0000,0000,,Now 45 million core-years\Nsounds like a hell of a lot. Dialogue: 0,0:37:18.19,0:37:20.52,Default,,0000,0000,0000,,But, when you start to think about it, Dialogue: 0,0:37:20.52,0:37:22.64,Default,,0000,0000,0000,,if you're going to do\Nan effort that large, Dialogue: 0,0:37:22.64,0:37:26.05,Default,,0000,0000,0000,,there are some optimisations\Nyou could start doing, Dialogue: 0,0:37:26.05,0:37:28.92,Default,,0000,0000,0000,,and, for instance, maybe instead of Dialogue: 0,0:37:28.92,0:37:31.69,Default,,0000,0000,0000,,running this on general-purpose PCs, Dialogue: 0,0:37:31.69,0:37:33.04,Default,,0000,0000,0000,,like these estimates show, Dialogue: 0,0:37:33.04,0:37:35.14,Default,,0000,0000,0000,,if you're going to do\Nan effort on this scale, Dialogue: 0,0:37:35.14,0:37:37.56,Default,,0000,0000,0000,,maybe you're going to tape out some chips, Dialogue: 0,0:37:37.56,0:37:39.80,Default,,0000,0000,0000,,maybe you're going to use custom hardware. Dialogue: 0,0:37:39.80,0:37:42.52,Default,,0000,0000,0000,,And if we do the math and look at\Nwhat kind of gains Dialogue: 0,0:37:42.52,0:37:44.38,Default,,0000,0000,0000,,we can get from custom hardware Dialogue: 0,0:37:44.38,0:37:47.84,Default,,0000,0000,0000,,in other applications that\Nare similar to this, Dialogue: 0,0:37:47.84,0:37:49.32,Default,,0000,0000,0000,,we estimate that we can get Dialogue: 0,0:37:49.32,0:37:51.89,Default,,0000,0000,0000,,maybe a speedup of 80 times Dialogue: 0,0:37:51.89,0:37:54.16,Default,,0000,0000,0000,,just by doing it in custom hardware. Dialogue: 0,0:37:54.16,0:37:57.45,Default,,0000,0000,0000,,Okay, and then we ask what's\Nthat's going to cost, Dialogue: 0,0:37:57.45,0:38:00.67,Default,,0000,0000,0000,,well, we estimate that for... Dialogue: 0,0:38:00.67,0:38:02.08,Default,,0000,0000,0000,,to build a machine that could break Dialogue: 0,0:38:02.08,0:38:07.61,Default,,0000,0000,0000,,one 1024-bit p, precompute for\None 1024-bit p every year, Dialogue: 0,0:38:07.61,0:38:09.07,Default,,0000,0000,0000,,would cost somewhere in the neighbourhood Dialogue: 0,0:38:09.07,0:38:11.39,Default,,0000,0000,0000,,of low hundreds of millions of dollars, Dialogue: 0,0:38:11.39,0:38:12.81,Default,,0000,0000,0000,,in a one-time investment. Dialogue: 0,0:38:12.81,0:38:14.82,Default,,0000,0000,0000,,As a result of this, you can churn out Dialogue: 0,0:38:14.82,0:38:16.63,Default,,0000,0000,0000,,precomputations once a year Dialogue: 0,0:38:16.63,0:38:19.41,Default,,0000,0000,0000,,that will let you break efficiently Dialogue: 0,0:38:19.41,0:38:22.60,Default,,0000,0000,0000,,every connection that uses that p. Dialogue: 0,0:38:22.60,0:38:24.63,Default,,0000,0000,0000,,Now, individual logs then are going to be Dialogue: 0,0:38:24.63,0:38:26.23,Default,,0000,0000,0000,,close to real-time, and in fact you can Dialogue: 0,0:38:26.23,0:38:28.27,Default,,0000,0000,0000,,re-use much of the same hardware Dialogue: 0,0:38:28.27,0:38:32.37,Default,,0000,0000,0000,,to do the computations for\Nindividual logs very quickly. Dialogue: 0,0:38:32.37,0:38:34.59,Default,,0000,0000,0000,,So, um, oh shit. Dialogue: 0,0:38:34.59,0:38:37.55,Default,,0000,0000,0000,,This is what the estimates look like. Dialogue: 0,0:38:37.55,0:38:44.05,Default,,0000,0000,0000,,Now is NSA actually doing this? Dialogue: 0,0:38:44.05,0:38:45.03,Default,,0000,0000,0000,,NH: This is where we get into Dialogue: 0,0:38:45.03,0:38:47.73,Default,,0000,0000,0000,,the conspiracy theories. Dialogue: 0,0:38:47.73,0:38:52.72,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:38:52.72,0:38:55.01,Default,,0000,0000,0000,,So, there have been rumours flying around Dialogue: 0,0:38:55.01,0:38:56.93,Default,,0000,0000,0000,,for many years, I mean\Nfor decades, really, Dialogue: 0,0:38:56.93,0:38:59.72,Default,,0000,0000,0000,,but sort of credible rumours\Nfor many years, Dialogue: 0,0:38:59.72,0:39:02.81,Default,,0000,0000,0000,,of some large cryptanalytic breakthrough Dialogue: 0,0:39:02.81,0:39:04.13,Default,,0000,0000,0000,,that the NSA made. Dialogue: 0,0:39:04.13,0:39:05.89,Default,,0000,0000,0000,,So here's an article from James Bamford, Dialogue: 0,0:39:05.89,0:39:09.31,Default,,0000,0000,0000,,one of the, you know, world experts\Nin open ??? Dialogue: 0,0:39:09.31,0:39:11.35,Default,,0000,0000,0000,,of what the NSA's activities are Dialogue: 0,0:39:11.35,0:39:13.82,Default,,0000,0000,0000,,and he wrote an article in 2012 Dialogue: 0,0:39:13.82,0:39:15.53,Default,,0000,0000,0000,,saying very clearly that he had talked Dialogue: 0,0:39:15.53,0:39:17.29,Default,,0000,0000,0000,,to multiple government officials Dialogue: 0,0:39:17.29,0:39:19.98,Default,,0000,0000,0000,,who said that the NSA made\Nsome enormous breakthrough Dialogue: 0,0:39:19.98,0:39:21.26,Default,,0000,0000,0000,,several years ago. Dialogue: 0,0:39:21.26,0:39:22.77,Default,,0000,0000,0000,,Everybody's a target, Dialogue: 0,0:39:22.77,0:39:24.73,Default,,0000,0000,0000,,everybody with communication is a target, Dialogue: 0,0:39:24.73,0:39:25.96,Default,,0000,0000,0000,,and this computing breakthrough Dialogue: 0,0:39:25.96,0:39:27.32,Default,,0000,0000,0000,,is going to give them the ability Dialogue: 0,0:39:27.32,0:39:29.48,Default,,0000,0000,0000,,to crack current public encryption. Dialogue: 0,0:39:29.48,0:39:31.96,Default,,0000,0000,0000,,And it was so secret that no oversight, Dialogue: 0,0:39:31.96,0:39:35.15,Default,,0000,0000,0000,,anybody had sort of access\Nto the details of it. Dialogue: 0,0:39:35.15,0:39:38.77,Default,,0000,0000,0000,,But whatever it was,\Nit was major and massive. Dialogue: 0,0:39:38.77,0:39:40.25,Default,,0000,0000,0000,,Of course, you know, after we saw this, Dialogue: 0,0:39:40.25,0:39:41.53,Default,,0000,0000,0000,,we said, oh my god, you know, Dialogue: 0,0:39:41.53,0:39:42.47,Default,,0000,0000,0000,,what could it possibly be, Dialogue: 0,0:39:42.47,0:39:44.37,Default,,0000,0000,0000,,are they breaking RSA? Dialogue: 0,0:39:44.37,0:39:46.09,Default,,0000,0000,0000,,Bamford actually goes on in this article Dialogue: 0,0:39:46.09,0:39:48.96,Default,,0000,0000,0000,,to speculate that it's\Nsomething about AES, Dialogue: 0,0:39:48.96,0:39:51.17,Default,,0000,0000,0000,,which at least to my mind\Nseems less likely Dialogue: 0,0:39:51.17,0:39:54.51,Default,,0000,0000,0000,,than some kind of major\Npublic key breakthrough. Dialogue: 0,0:39:54.51,0:39:56.48,Default,,0000,0000,0000,,So clearly we have sort of these rumours Dialogue: 0,0:39:56.48,0:40:02.20,Default,,0000,0000,0000,,of large breakthroughs by the NSA's\Ntens of thousands of mathematicians. Dialogue: 0,0:40:02.20,0:40:04.98,Default,,0000,0000,0000,,Simultaneously, we can say, you know, Dialogue: 0,0:40:04.98,0:40:07.91,Default,,0000,0000,0000,,we know the NSA is clearly\Ninterested in cryptanalysis, Dialogue: 0,0:40:07.91,0:40:11.39,Default,,0000,0000,0000,,is cryptanalysis on the scale\Nof hundreds of millions of dollars Dialogue: 0,0:40:11.39,0:40:13.63,Default,,0000,0000,0000,,within their reach? Dialogue: 0,0:40:13.63,0:40:17.26,Default,,0000,0000,0000,,The answer, thanks to Snowden, is yes. Dialogue: 0,0:40:17.26,0:40:18.92,Default,,0000,0000,0000,,We have some of their budgets Dialogue: 0,0:40:18.92,0:40:21.70,Default,,0000,0000,0000,,and they spend billions of dollars a year Dialogue: 0,0:40:21.70,0:40:23.65,Default,,0000,0000,0000,,on computer network operations, Dialogue: 0,0:40:23.65,0:40:25.56,Default,,0000,0000,0000,,they spend hundred of millions of dollars Dialogue: 0,0:40:25.56,0:40:28.11,Default,,0000,0000,0000,,on cryptanalytic IT systems, Dialogue: 0,0:40:28.11,0:40:31.49,Default,,0000,0000,0000,,cybercryptanalysis,\Nexploitation solutions, Dialogue: 0,0:40:31.49,0:40:33.98,Default,,0000,0000,0000,,in fact, a couple years ago there was even Dialogue: 0,0:40:33.98,0:40:41.83,Default,,0000,0000,0000,,an increase of hundreds of millions of\Ndollars in their budget for cryptanalysis. Dialogue: 0,0:40:41.83,0:40:42.95,Default,,0000,0000,0000,,Interesting. Dialogue: 0,0:40:42.95,0:40:45.36,Default,,0000,0000,0000,,So, a hundred million dollars of\Nspecial-purpose hardware Dialogue: 0,0:40:45.36,0:40:51.88,Default,,0000,0000,0000,,is certainly within range\Nof a government the size of ours. Dialogue: 0,0:40:51.88,0:40:53.63,Default,,0000,0000,0000,,Additionally, we can ask, Dialogue: 0,0:40:53.63,0:40:55.86,Default,,0000,0000,0000,,what would the impact of doing one of Dialogue: 0,0:40:55.86,0:40:57.60,Default,,0000,0000,0000,,these single precomputations Dialogue: 0,0:40:57.60,0:41:01.67,Default,,0000,0000,0000,,for a discrete log\Nfor a single prime would be, Dialogue: 0,0:41:01.67,0:41:04.59,Default,,0000,0000,0000,,and the answer is actually\Nsurprisingly large. Dialogue: 0,0:41:04.59,0:41:06.15,Default,,0000,0000,0000,,So if you did this precomputation Dialogue: 0,0:41:06.15,0:41:08.75,Default,,0000,0000,0000,,for a single 1024-bit prime, Dialogue: 0,0:41:08.75,0:41:10.62,Default,,0000,0000,0000,,that would allow passive decryption Dialogue: 0,0:41:10.62,0:41:13.29,Default,,0000,0000,0000,,of connections to 66% of VPN servers Dialogue: 0,0:41:13.29,0:41:16.02,Default,,0000,0000,0000,,and 26% of SSH servers. Dialogue: 0,0:41:16.02,0:41:18.18,Default,,0000,0000,0000,,This is from Internet-wide scanning, Dialogue: 0,0:41:18.18,0:41:19.52,Default,,0000,0000,0000,,we connected to all of these Dialogue: 0,0:41:19.52,0:41:21.38,Default,,0000,0000,0000,,and we said "we would like to speak Dialogue: 0,0:41:21.38,0:41:24.12,Default,,0000,0000,0000,,Diffie-Hellman with you,\Nwhat parameters do you prefer?" Dialogue: 0,0:41:24.12,0:41:26.78,Default,,0000,0000,0000,,and these are the servers that preferred Dialogue: 0,0:41:26.78,0:41:32.06,Default,,0000,0000,0000,,a single 1024-bit prime over\Nevery other parameter in key size. Dialogue: 0,0:41:32.06,0:41:33.77,Default,,0000,0000,0000,,A second 1024-bit prime would allow Dialogue: 0,0:41:33.77,0:41:38.63,Default,,0000,0000,0000,,passive decryption for 18%\Nof the top million HTTPS domains. Dialogue: 0,0:41:38.63,0:41:40.08,Default,,0000,0000,0000,,These are domains that prefer Dialogue: 0,0:41:40.08,0:41:45.67,Default,,0000,0000,0000,,to speak Diffie-Hellman\Nwith this fixed prime. Dialogue: 0,0:41:45.67,0:41:47.72,Default,,0000,0000,0000,,And, the final piece of evidence Dialogue: 0,0:41:47.72,0:41:49.84,Default,,0000,0000,0000,,for something like this being within range Dialogue: 0,0:41:49.84,0:41:52.28,Default,,0000,0000,0000,,and at least being worth worrying about Dialogue: 0,0:41:52.28,0:41:57.63,Default,,0000,0000,0000,,is actually some of the slides\Nthat were release last year, Dialogue: 0,0:41:57.63,0:41:59.05,Default,,0000,0000,0000,,by der Spiegel, Dialogue: 0,0:41:59.05,0:42:01.78,Default,,0000,0000,0000,,and in particular they have\Na large amount of detail Dialogue: 0,0:42:01.78,0:42:06.53,Default,,0000,0000,0000,,about passive decryptions of VPN traffic. Dialogue: 0,0:42:06.53,0:42:08.23,Default,,0000,0000,0000,,So here's an example, Dialogue: 0,0:42:08.23,0:42:09.51,Default,,0000,0000,0000,,it is clear from the slides that Dialogue: 0,0:42:09.51,0:42:10.58,Default,,0000,0000,0000,,whatever the NSA is doing, Dialogue: 0,0:42:10.58,0:42:12.42,Default,,0000,0000,0000,,they have the ability to passively decrypt Dialogue: 0,0:42:12.42,0:42:15.28,Default,,0000,0000,0000,,VPN connections on a large scale. Dialogue: 0,0:42:15.28,0:42:18.90,Default,,0000,0000,0000,,And they're very happy about it. Dialogue: 0,0:42:18.90,0:42:21.48,Default,,0000,0000,0000,,I think this is my favourite\NSnowden slide ever. Dialogue: 0,0:42:21.48,0:42:22.62,Default,,0000,0000,0000,,{\i1}laughter{\i0} Dialogue: 0,0:42:22.62,0:42:25.01,Default,,0000,0000,0000,,I feel this way when I decrypt things too. Dialogue: 0,0:42:25.01,0:42:27.09,Default,,0000,0000,0000,,{\i1}laughter{\i0} Dialogue: 0,0:42:27.09,0:42:29.58,Default,,0000,0000,0000,,So, if we take a look at what, Dialogue: 0,0:42:29.58,0:42:33.54,Default,,0000,0000,0000,,and these slides are specifically\Ntalking about IPsec VPNs, Dialogue: 0,0:42:33.54,0:42:39.10,Default,,0000,0000,0000,,if we take a look at what the\Nkey exchange looks like for IPsec VPNs, Dialogue: 0,0:42:39.10,0:42:41.26,Default,,0000,0000,0000,,what happens is, we have two hosts Dialogue: 0,0:42:41.26,0:42:45.40,Default,,0000,0000,0000,,who want to make a VPN\Nconnection with each other, Dialogue: 0,0:42:45.40,0:42:50.95,Default,,0000,0000,0000,,the key exchange actually uses a\Nfixed set of parameters Dialogue: 0,0:42:50.95,0:42:54.08,Default,,0000,0000,0000,,from a small list of possibilities, Dialogue: 0,0:42:54.08,0:42:55.62,Default,,0000,0000,0000,,and so Alice and Bob will negotiate Dialogue: 0,0:42:55.62,0:42:58.04,Default,,0000,0000,0000,,which parameters they're going\Nto use from this list, Dialogue: 0,0:42:58.04,0:43:00.05,Default,,0000,0000,0000,,and then they will do a\NDiffie-Hellman key exchange, Dialogue: 0,0:43:00.05,0:43:03.24,Default,,0000,0000,0000,,from that they will have\Na shared secret, g^ab, Dialogue: 0,0:43:03.24,0:43:05.55,Default,,0000,0000,0000,,and then they, in the most\Ncommonly used mode, Dialogue: 0,0:43:05.55,0:43:07.14,Default,,0000,0000,0000,,they also have some pre-shared key, Dialogue: 0,0:43:07.14,0:43:09.40,Default,,0000,0000,0000,,like a password that has been shared Dialogue: 0,0:43:09.40,0:43:11.25,Default,,0000,0000,0000,,over some other channel. Dialogue: 0,0:43:11.25,0:43:14.01,Default,,0000,0000,0000,,And that Diffie-Hellman secret Dialogue: 0,0:43:14.01,0:43:16.02,Default,,0000,0000,0000,,that was negotiated together\Nwith the pre-shared key Dialogue: 0,0:43:16.02,0:43:19.37,Default,,0000,0000,0000,,or mixed together to generate\Nthe session key. Dialogue: 0,0:43:19.37,0:43:22.30,Default,,0000,0000,0000,,So, if somebody wanted to Dialogue: 0,0:43:22.30,0:43:24.33,Default,,0000,0000,0000,,break a connection of this type, Dialogue: 0,0:43:24.33,0:43:26.08,Default,,0000,0000,0000,,one option would be to, say, Dialogue: 0,0:43:26.08,0:43:28.01,Default,,0000,0000,0000,,steal the pre-shared key\Nthrough some other mechanism Dialogue: 0,0:43:28.01,0:43:29.38,Default,,0000,0000,0000,,and then break Diffie-Hellman. Dialogue: 0,0:43:29.38,0:43:32.56,Default,,0000,0000,0000,,That would be a possibility. Dialogue: 0,0:43:32.56,0:43:35.50,Default,,0000,0000,0000,,So, if we look what the\NNSA's requirements are Dialogue: 0,0:43:35.50,0:43:38.92,Default,,0000,0000,0000,,for their mass-scale decryption efforts, Dialogue: 0,0:43:38.92,0:43:42.37,Default,,0000,0000,0000,,they require finding out what\Nthe pre-shared key is, Dialogue: 0,0:43:42.37,0:43:44.99,Default,,0000,0000,0000,,getting both sides of the connection, Dialogue: 0,0:43:44.99,0:43:47.69,Default,,0000,0000,0000,,getting both the asymmetric key exchange Dialogue: 0,0:43:47.69,0:43:50.35,Default,,0000,0000,0000,,and the symmetrically encrypted data, Dialogue: 0,0:43:50.35,0:43:52.59,Default,,0000,0000,0000,,and then having some metadata. Dialogue: 0,0:43:52.59,0:43:56.24,Default,,0000,0000,0000,,These are the requirements for them\Nto get decryption. Dialogue: 0,0:43:56.24,0:43:58.21,Default,,0000,0000,0000,,And we can also take a closer look Dialogue: 0,0:43:58.21,0:44:04.26,Default,,0000,0000,0000,,at what their decryption flow\Nactually looks like, Dialogue: 0,0:44:04.26,0:44:06.29,Default,,0000,0000,0000,,this is somewhat complicated, Dialogue: 0,0:44:06.29,0:44:07.85,Default,,0000,0000,0000,,but in this diagram, Dialogue: 0,0:44:07.85,0:44:10.84,Default,,0000,0000,0000,,so they're getting the IK exchange, Dialogue: 0,0:44:10.84,0:44:12.99,Default,,0000,0000,0000,,and the symmetric data, Dialogue: 0,0:44:12.99,0:44:17.13,Default,,0000,0000,0000,,they're sending it into\None system that they have, Dialogue: 0,0:44:17.13,0:44:19.23,Default,,0000,0000,0000,,they're sending the IKE messages through Dialogue: 0,0:44:19.23,0:44:21.88,Default,,0000,0000,0000,,out to some high-performance\Ncomputing resources, Dialogue: 0,0:44:21.88,0:44:23.62,Default,,0000,0000,0000,,and then they get sent back with Dialogue: 0,0:44:23.62,0:44:28.69,Default,,0000,0000,0000,,some data from stored\Ndatabases of information Dialogue: 0,0:44:28.69,0:44:32.91,Default,,0000,0000,0000,,that returns the actual decrypted data. Dialogue: 0,0:44:32.91,0:44:34.84,Default,,0000,0000,0000,,So that's what the decryption\Nflow looks like. Dialogue: 0,0:44:34.84,0:44:37.13,Default,,0000,0000,0000,,We don't have any details\Nof the cryptanalysis, Dialogue: 0,0:44:37.13,0:44:39.48,Default,,0000,0000,0000,,but we have details from\Nthe sysadmin's perspective Dialogue: 0,0:44:39.48,0:44:43.19,Default,,0000,0000,0000,,of how the systems\Nthat do the cryptanalysis Dialogue: 0,0:44:43.19,0:44:44.67,Default,,0000,0000,0000,,are hooked together. Dialogue: 0,0:44:44.67,0:44:46.00,Default,,0000,0000,0000,,And they're doing something Dialogue: 0,0:44:46.00,0:44:48.28,Default,,0000,0000,0000,,that requires high-performance computing, Dialogue: 0,0:44:48.28,0:44:49.70,Default,,0000,0000,0000,,that takes in key exchanges Dialogue: 0,0:44:49.70,0:44:54.04,Default,,0000,0000,0000,,and hands out decrypted data. Dialogue: 0,0:44:54.04,0:44:59.74,Default,,0000,0000,0000,,So, we can line up sort of the NSA's\Non-demand IKE decryption Dialogue: 0,0:44:59.74,0:45:03.71,Default,,0000,0000,0000,,with what a discrete log decryption\Nwould actually look like, Dialogue: 0,0:45:03.71,0:45:05.62,Default,,0000,0000,0000,,and they're very close, Dialogue: 0,0:45:05.62,0:45:07.64,Default,,0000,0000,0000,,so they would both require\Nthe pre-shared key, Dialogue: 0,0:45:07.64,0:45:09.49,Default,,0000,0000,0000,,both sides of the handshake, Dialogue: 0,0:45:09.49,0:45:12.44,Default,,0000,0000,0000,,both the handshake and the symmetric data, Dialogue: 0,0:45:12.44,0:45:13.45,Default,,0000,0000,0000,,and they would send off the data Dialogue: 0,0:45:13.45,0:45:16.09,Default,,0000,0000,0000,,to high-performance computing. Dialogue: 0,0:45:16.09,0:45:17.99,Default,,0000,0000,0000,,So in the same set of slides, Dialogue: 0,0:45:17.99,0:45:20.77,Default,,0000,0000,0000,,they also discuss targeted implants Dialogue: 0,0:45:20.77,0:45:23.04,Default,,0000,0000,0000,,against particular implementations, Dialogue: 0,0:45:23.04,0:45:26.89,Default,,0000,0000,0000,,if you were going to design a\Nbackdoor to make your life easy, Dialogue: 0,0:45:26.89,0:45:30.36,Default,,0000,0000,0000,,you would have fewer\Nrequirements than this. Dialogue: 0,0:45:30.36,0:45:31.32,Default,,0000,0000,0000,,Potentially. Dialogue: 0,0:45:31.32,0:45:33.09,Default,,0000,0000,0000,,There are many kinds of backdoors\Nthat you could design, Dialogue: 0,0:45:33.09,0:45:35.19,Default,,0000,0000,0000,,but if you were being clever about it, Dialogue: 0,0:45:35.19,0:45:38.09,Default,,0000,0000,0000,,you might try to make it\Na little bit easier on yourself Dialogue: 0,0:45:38.09,0:45:41.10,Default,,0000,0000,0000,,to decrypt the mess. Dialogue: 0,0:45:41.10,0:45:43.75,Default,,0000,0000,0000,,So I will let Alex finish with this. Dialogue: 0,0:45:43.75,0:45:51.09,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:45:51.09,0:45:53.89,Default,,0000,0000,0000,,So to wrap up, Dialogue: 0,0:45:53.89,0:45:55.52,Default,,0000,0000,0000,,what we've seen today Dialogue: 0,0:45:55.52,0:46:00.15,Default,,0000,0000,0000,,through the cryptanalysis\Nof Diffie-Hellman Dialogue: 0,0:46:00.15,0:46:05.33,Default,,0000,0000,0000,,is probably a mass surveillance dream. Dialogue: 0,0:46:05.33,0:46:08.18,Default,,0000,0000,0000,,The algorithms that we've talked about Dialogue: 0,0:46:08.18,0:46:11.40,Default,,0000,0000,0000,,would let a government with\Nsufficient resources Dialogue: 0,0:46:11.40,0:46:15.01,Default,,0000,0000,0000,,to invest in these precomputation attacks Dialogue: 0,0:46:15.01,0:46:18.84,Default,,0000,0000,0000,,break connections on an almost\Nunheard-of scale, Dialogue: 0,0:46:18.84,0:46:23.95,Default,,0000,0000,0000,,across almost every widely-used\Ncrypto protocol on the Internet. Dialogue: 0,0:46:23.95,0:46:25.53,Default,,0000,0000,0000,,Here are some numbers again, Dialogue: 0,0:46:25.53,0:46:28.49,Default,,0000,0000,0000,,for HTTPS, the top million sites, Dialogue: 0,0:46:28.49,0:46:29.96,Default,,0000,0000,0000,,we're looking at a device like Dialogue: 0,0:46:29.96,0:46:32.48,Default,,0000,0000,0000,,the ones we hypothesised Dialogue: 0,0:46:32.48,0:46:38.15,Default,,0000,0000,0000,,breaking connections to maybe\N56% of them passively. Dialogue: 0,0:46:38.15,0:46:42.90,Default,,0000,0000,0000,,For IKE, for Internet key\Nexchange v1 and v2, Dialogue: 0,0:46:42.90,0:46:46.09,Default,,0000,0000,0000,,we're looking at in the 60%s of servers Dialogue: 0,0:46:46.09,0:46:48.24,Default,,0000,0000,0000,,are potentially compromisable Dialogue: 0,0:46:48.24,0:46:50.75,Default,,0000,0000,0000,,using this same hardware. Dialogue: 0,0:46:50.75,0:47:00.29,Default,,0000,0000,0000,,For SSH, for IMAP with secure encrypted\Nconnections, for SMTP with STARTTLS, Dialogue: 0,0:47:00.29,0:47:02.26,Default,,0000,0000,0000,,the encrypted mail transports, Dialogue: 0,0:47:02.26,0:47:05.57,Default,,0000,0000,0000,,all of these protocols are\Npotentially jeopardised Dialogue: 0,0:47:05.57,0:47:07.39,Default,,0000,0000,0000,,by the same kind of attack, Dialogue: 0,0:47:07.39,0:47:09.49,Default,,0000,0000,0000,,because everyone fundamentally, Dialogue: 0,0:47:09.49,0:47:11.11,Default,,0000,0000,0000,,so many people fundamentally Dialogue: 0,0:47:11.11,0:47:14.40,Default,,0000,0000,0000,,rely on the same underlying cryptography, Dialogue: 0,0:47:14.40,0:47:17.05,Default,,0000,0000,0000,,often with the very same public parameters Dialogue: 0,0:47:17.05,0:47:19.56,Default,,0000,0000,0000,,that are so widely shared. Dialogue: 0,0:47:19.56,0:47:21.85,Default,,0000,0000,0000,,So what can we do about this? Dialogue: 0,0:47:21.85,0:47:24.82,Default,,0000,0000,0000,,So first, let's go back to the\NLogjam attack again, Dialogue: 0,0:47:24.82,0:47:27.49,Default,,0000,0000,0000,,using 90s-era backdoored crypto Dialogue: 0,0:47:27.49,0:47:30.93,Default,,0000,0000,0000,,that lets any of us break connections\Nto modern browsers. Dialogue: 0,0:47:30.93,0:47:32.76,Default,,0000,0000,0000,,Luckily, browsers have already started Dialogue: 0,0:47:32.76,0:47:34.49,Default,,0000,0000,0000,,to mitigate this, as I said, Dialogue: 0,0:47:34.49,0:47:35.99,Default,,0000,0000,0000,,by increasing the minimum strength Dialogue: 0,0:47:35.99,0:47:37.47,Default,,0000,0000,0000,,of Diffie-Hellman they support, Dialogue: 0,0:47:37.47,0:47:39.65,Default,,0000,0000,0000,,although there's still a way to go there, Dialogue: 0,0:47:39.65,0:47:43.35,Default,,0000,0000,0000,,since they're all still accepting\N1024-bit key exchange. Dialogue: 0,0:47:43.35,0:47:45.76,Default,,0000,0000,0000,,Our biggest recommendation\Nunder here though, Dialogue: 0,0:47:45.76,0:47:49.16,Default,,0000,0000,0000,,I think the lesson is:\Ndon't backdoor crypto! Dialogue: 0,0:47:49.16,0:47:50.81,Default,,0000,0000,0000,,Right, because the backdoored crypto Dialogue: 0,0:47:50.81,0:47:52.84,Default,,0000,0000,0000,,of 20 years ago is now coming back Dialogue: 0,0:47:52.84,0:47:54.51,Default,,0000,0000,0000,,to bite everyone. Dialogue: 0,0:47:54.51,0:47:59.44,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:47:59.44,0:48:01.63,Default,,0000,0000,0000,,And then, we have the second attack, Dialogue: 0,0:48:01.63,0:48:03.51,Default,,0000,0000,0000,,the 1024-bit case that enables Dialogue: 0,0:48:03.51,0:48:05.22,Default,,0000,0000,0000,,so much mass surveillance. Dialogue: 0,0:48:05.22,0:48:06.97,Default,,0000,0000,0000,,Well, to get around this, Dialogue: 0,0:48:06.97,0:48:09.57,Default,,0000,0000,0000,,we're going to have to do some upgrades. Dialogue: 0,0:48:09.57,0:48:11.44,Default,,0000,0000,0000,,Probably the easiest thing to do, Dialogue: 0,0:48:11.44,0:48:12.86,Default,,0000,0000,0000,,and the thing that almost Dialogue: 0,0:48:12.86,0:48:15.42,Default,,0000,0000,0000,,every cryptographer that we talked to Dialogue: 0,0:48:15.42,0:48:16.59,Default,,0000,0000,0000,,recommends now, Dialogue: 0,0:48:16.59,0:48:18.69,Default,,0000,0000,0000,,is to move to elliptic-curve crypto. Dialogue: 0,0:48:18.69,0:48:19.95,Default,,0000,0000,0000,,Yes, there's been talk Dialogue: 0,0:48:19.95,0:48:22.53,Default,,0000,0000,0000,,about whether the specific NIST curves Dialogue: 0,0:48:22.53,0:48:25.79,Default,,0000,0000,0000,,may have been backdoored by NSA, Dialogue: 0,0:48:25.79,0:48:27.47,Default,,0000,0000,0000,,but by and large, we think that Dialogue: 0,0:48:27.47,0:48:29.59,Default,,0000,0000,0000,,elliptic curve is the most sound choice Dialogue: 0,0:48:29.59,0:48:31.55,Default,,0000,0000,0000,,we have for now. Dialogue: 0,0:48:31.55,0:48:33.12,Default,,0000,0000,0000,,Now if elliptic curve isn't an option, Dialogue: 0,0:48:33.12,0:48:35.49,Default,,0000,0000,0000,,and there's technical reasons\Nwhy it might not be, Dialogue: 0,0:48:35.49,0:48:38.57,Default,,0000,0000,0000,,at the very least use\Na Diffie-Hellman prime Dialogue: 0,0:48:38.57,0:48:41.41,Default,,0000,0000,0000,,that's 2048 bits or longer. Dialogue: 0,0:48:41.41,0:48:43.48,Default,,0000,0000,0000,,If even that isn't an option, Dialogue: 0,0:48:43.48,0:48:45.97,Default,,0000,0000,0000,,you're using legacy systems\Nfor some reason, Dialogue: 0,0:48:45.97,0:48:49.61,Default,,0000,0000,0000,,well, or Java yes, thanks, Dialogue: 0,0:48:49.61,0:48:52.71,Default,,0000,0000,0000,,if there's anyone there who works for Sun, Dialogue: 0,0:48:52.71,0:48:58.34,Default,,0000,0000,0000,,please, please tell them\Nto fix the crypto in Java! Dialogue: 0,0:48:58.34,0:49:04.92,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:49:04.92,0:49:06.74,Default,,0000,0000,0000,,But if that's not an option, Dialogue: 0,0:49:06.74,0:49:07.66,Default,,0000,0000,0000,,if that's not an option, Dialogue: 0,0:49:07.66,0:49:09.36,Default,,0000,0000,0000,,the fallback is you can generate, Dialogue: 0,0:49:09.36,0:49:13.89,Default,,0000,0000,0000,,at least generate your own 1024-bit prime. Dialogue: 0,0:49:13.89,0:49:17.00,Default,,0000,0000,0000,,Mind you, there various tricks\Nthat you have to make sure you do Dialogue: 0,0:49:17.00,0:49:20.31,Default,,0000,0000,0000,,when generating a prime,\Nit must be a safe prime, Dialogue: 0,0:49:20.31,0:49:22.45,Default,,0000,0000,0000,,but there are implementations\Nof doing this, Dialogue: 0,0:49:22.45,0:49:27.10,Default,,0000,0000,0000,,so it's not exactly free to generate\Nyour own 1024-bit prime, Dialogue: 0,0:49:27.10,0:49:28.30,Default,,0000,0000,0000,,but it's inexpensive, Dialogue: 0,0:49:28.30,0:49:29.81,Default,,0000,0000,0000,,and if you have no other option, Dialogue: 0,0:49:29.81,0:49:32.95,Default,,0000,0000,0000,,at least so that this large\Ngovernment adversary Dialogue: 0,0:49:32.95,0:49:35.00,Default,,0000,0000,0000,,has to spend a lot of precomputation, Dialogue: 0,0:49:35.00,0:49:37.99,Default,,0000,0000,0000,,a year perhaps, targeting\Nyou individually, Dialogue: 0,0:49:37.99,0:49:40.33,Default,,0000,0000,0000,,and they can't just get this for free. Dialogue: 0,0:49:40.33,0:49:43.36,Default,,0000,0000,0000,,Alright, so, that is our talk for tonight, Dialogue: 0,0:49:43.36,0:49:45.95,Default,,0000,0000,0000,,we're saving a lot of time for questions, Dialogue: 0,0:49:45.95,0:49:49.04,Default,,0000,0000,0000,,thank you all very very much. Dialogue: 0,0:49:49.04,0:50:00.41,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:50:00.41,0:50:05.30,Default,,0000,0000,0000,,Herald: Nadia. Nadia and Alex,\Nthank you very much. Dialogue: 0,0:50:05.30,0:50:07.35,Default,,0000,0000,0000,,We installed some microphones\Nhere in the room, Dialogue: 0,0:50:07.35,0:50:09.29,Default,,0000,0000,0000,,so please queue up, but first, Dialogue: 0,0:50:09.29,0:50:11.89,Default,,0000,0000,0000,,signal angel, do we have\Nsome questions from the net? Dialogue: 0,0:50:11.89,0:50:14.81,Default,,0000,0000,0000,,Signal Angel: Yes, we have a lot of questions. Dialogue: 0,0:50:14.81,0:50:16.16,Default,,0000,0000,0000,,First question is, Dialogue: 0,0:50:16.16,0:50:17.78,Default,,0000,0000,0000,,do you think it's possible that the NSA Dialogue: 0,0:50:17.78,0:50:19.89,Default,,0000,0000,0000,,uses quantum Shor factorisation Dialogue: 0,0:50:19.89,0:50:24.79,Default,,0000,0000,0000,,for 1024 or bigger keys already? Dialogue: 0,0:50:24.79,0:50:27.52,Default,,0000,0000,0000,,NH: I would believe it is much more likely Dialogue: 0,0:50:27.52,0:50:29.72,Default,,0000,0000,0000,,that they're using classical cryptanalysis Dialogue: 0,0:50:29.72,0:50:31.48,Default,,0000,0000,0000,,for 1024-bit keys than than they have Dialogue: 0,0:50:31.48,0:50:34.77,Default,,0000,0000,0000,,a quantum computer that\Nnobody has heard about. Dialogue: 0,0:50:34.77,0:50:37.23,Default,,0000,0000,0000,,Herald: And another one? Dialogue: 0,0:50:37.23,0:50:38.76,Default,,0000,0000,0000,,Signal Angel: Another one... Is it thinkable Dialogue: 0,0:50:38.76,0:50:41.49,Default,,0000,0000,0000,,that the NSA solved the P=NP problem Dialogue: 0,0:50:41.49,0:50:43.21,Default,,0000,0000,0000,,but keeps quiet? Dialogue: 0,0:50:43.21,0:50:45.78,Default,,0000,0000,0000,,{\i1}laughter{\i0} Dialogue: 0,0:50:45.78,0:50:47.67,Default,,0000,0000,0000,,AH: Probably not, but if they have, Dialogue: 0,0:50:47.67,0:50:50.54,Default,,0000,0000,0000,,yes, I think they'd want to\Nkeep quiet about it. Dialogue: 0,0:50:50.54,0:50:52.00,Default,,0000,0000,0000,,NH: I hope they would tell us! Dialogue: 0,0:50:52.00,0:50:53.57,Default,,0000,0000,0000,,AH: I hope they would tell us too, Dialogue: 0,0:50:53.57,0:50:56.01,Default,,0000,0000,0000,,but I doubt it. Dialogue: 0,0:50:56.01,0:50:59.93,Default,,0000,0000,0000,,Herald: Okay, and over to\Nnumber 1, please. Dialogue: 0,0:50:59.93,0:51:01.54,Default,,0000,0000,0000,,Q: Two questions. Dialogue: 0,0:51:01.54,0:51:05.60,Default,,0000,0000,0000,,First, is it reasonable to think that, Dialogue: 0,0:51:05.60,0:51:09.20,Default,,0000,0000,0000,,is it possible they are attacking\Nindividual RSA keys, Dialogue: 0,0:51:09.20,0:51:11.32,Default,,0000,0000,0000,,that they can fetch individual RSA keys Dialogue: 0,0:51:11.32,0:51:13.53,Default,,0000,0000,0000,,in about a week with custom hardware, Dialogue: 0,0:51:13.53,0:51:17.58,Default,,0000,0000,0000,,and two, NSA Suite B came out 2005 Dialogue: 0,0:51:17.58,0:51:19.16,Default,,0000,0000,0000,,and they don't use Diffie-Hellman, Dialogue: 0,0:51:19.16,0:51:22.67,Default,,0000,0000,0000,,so NSA themselves, they told us in 2005, Dialogue: 0,0:51:22.67,0:51:24.73,Default,,0000,0000,0000,,"we won't use Diffie-Hellman", Dialogue: 0,0:51:24.73,0:51:26.57,Default,,0000,0000,0000,,so is it reasonable that, Dialogue: 0,0:51:26.57,0:51:28.40,Default,,0000,0000,0000,,when they changed the requirement Dialogue: 0,0:51:28.40,0:51:30.73,Default,,0000,0000,0000,,for top secret, we should follow? Dialogue: 0,0:51:30.73,0:51:33.47,Default,,0000,0000,0000,,AH: Well, to the first part\Nof your question, Dialogue: 0,0:51:33.47,0:51:35.86,Default,,0000,0000,0000,,about whether they're factoring RSA, Dialogue: 0,0:51:35.86,0:51:38.58,Default,,0000,0000,0000,,I think the answer for 1024, Dialogue: 0,0:51:38.58,0:51:40.60,Default,,0000,0000,0000,,is very likely, yes they are, Dialogue: 0,0:51:40.60,0:51:42.32,Default,,0000,0000,0000,,for high-value targets. Dialogue: 0,0:51:42.32,0:51:45.02,Default,,0000,0000,0000,,So if you're a major website at least Dialogue: 0,0:51:45.02,0:51:48.09,Default,,0000,0000,0000,,and you're using a 1024-bit RSA key, Dialogue: 0,0:51:48.09,0:51:53.00,Default,,0000,0000,0000,,well, it's long past time to change\Nto a higher strength. Dialogue: 0,0:51:53.00,0:51:56.48,Default,,0000,0000,0000,,NH: If the NSA has not factored\Na 1024-bit key, Dialogue: 0,0:51:56.48,0:51:58.05,Default,,0000,0000,0000,,I'm going to be very disappointed, Dialogue: 0,0:51:58.05,0:52:00.93,Default,,0000,0000,0000,,I'm going to ask where\Nmy tax dollars are going. Dialogue: 0,0:52:00.93,0:52:07.37,Default,,0000,0000,0000,,{\i1}laughter, applause{\i0} Dialogue: 0,0:52:07.37,0:52:09.44,Default,,0000,0000,0000,,And also I think actually, Dialogue: 0,0:52:09.44,0:52:11.00,Default,,0000,0000,0000,,the point of sort of watching Dialogue: 0,0:52:11.00,0:52:12.83,Default,,0000,0000,0000,,what the defensive side of the NSA Dialogue: 0,0:52:12.83,0:52:15.20,Default,,0000,0000,0000,,is advocating in terms of recommendations Dialogue: 0,0:52:15.20,0:52:17.18,Default,,0000,0000,0000,,is actually a wise thing to do, Dialogue: 0,0:52:17.18,0:52:20.16,Default,,0000,0000,0000,,because as far as we know, Dialogue: 0,0:52:20.16,0:52:22.14,Default,,0000,0000,0000,,at least the public recommendations Dialogue: 0,0:52:22.14,0:52:26.45,Default,,0000,0000,0000,,defensively should... I mean, Dialogue: 0,0:52:26.45,0:52:27.58,Default,,0000,0000,0000,,making recommendations for people Dialogue: 0,0:52:27.58,0:52:31.00,Default,,0000,0000,0000,,who are building systems that are\Ngoing to be handling classified data, Dialogue: 0,0:52:31.00,0:52:32.78,Default,,0000,0000,0000,,so they should be solid recommendations Dialogue: 0,0:52:32.78,0:52:33.96,Default,,0000,0000,0000,,as far as we know. Dialogue: 0,0:52:33.96,0:52:35.28,Default,,0000,0000,0000,,AH: What the NSA has told me Dialogue: 0,0:52:35.28,0:52:37.58,Default,,0000,0000,0000,,about those recommendations, by the way, Dialogue: 0,0:52:37.58,0:52:40.28,Default,,0000,0000,0000,,is that as long as you\Nfollow them exactly, Dialogue: 0,0:52:40.28,0:52:41.61,Default,,0000,0000,0000,,you're going to be okay, Dialogue: 0,0:52:41.61,0:52:44.16,Default,,0000,0000,0000,,but if you deviate in any\Nsmall way whatsoever, Dialogue: 0,0:52:44.16,0:52:46.96,Default,,0000,0000,0000,,then they make no guarantees whatsoever. Dialogue: 0,0:52:46.96,0:52:50.04,Default,,0000,0000,0000,,So, think about what that might mean Dialogue: 0,0:52:50.04,0:52:52.22,Default,,0000,0000,0000,,in terms of your implementation Dialogue: 0,0:52:52.22,0:52:55.63,Default,,0000,0000,0000,,the next time you read through\Nthose particular recommendations Dialogue: 0,0:52:55.63,0:52:58.47,Default,,0000,0000,0000,,that they make. Dialogue: 0,0:52:58.47,0:53:01.28,Default,,0000,0000,0000,,Herald: Okay. Then we hop over to\Nmicrophone 3, please. Dialogue: 0,0:53:01.28,0:53:03.55,Default,,0000,0000,0000,,Q: So, for the moment, is Dialogue: 0,0:53:03.55,0:53:07.38,Default,,0000,0000,0000,,elliptic-curve-based\NDiffie-Hellman secure? Dialogue: 0,0:53:07.38,0:53:09.86,Default,,0000,0000,0000,,NH: I hope so. Dialogue: 0,0:53:09.86,0:53:13.65,Default,,0000,0000,0000,,AH: It doesn't suffer from\Nthe same shape of attack Dialogue: 0,0:53:13.65,0:53:14.90,Default,,0000,0000,0000,,that we've described here. Dialogue: 0,0:53:14.90,0:53:16.77,Default,,0000,0000,0000,,As far as we know, there's not a way Dialogue: 0,0:53:16.77,0:53:19.02,Default,,0000,0000,0000,,to do this same kind of precomputation Dialogue: 0,0:53:19.02,0:53:20.71,Default,,0000,0000,0000,,for elliptic-curve Diffie-Hellman. Dialogue: 0,0:53:20.71,0:53:22.53,Default,,0000,0000,0000,,NH: So what we didn't mention in the talk Dialogue: 0,0:53:22.53,0:53:24.63,Default,,0000,0000,0000,,is, so, one of the reasons that Dialogue: 0,0:53:24.63,0:53:27.30,Default,,0000,0000,0000,,elliptic curve keys are so much shorter Dialogue: 0,0:53:27.30,0:53:30.73,Default,,0000,0000,0000,,than, say, finite-field\NDiffie-Hellman or RSA Dialogue: 0,0:53:30.73,0:53:35.35,Default,,0000,0000,0000,,is because we have this\Nsuperpowerful index calculus Dialogue: 0,0:53:35.35,0:53:37.41,Default,,0000,0000,0000,,number field sieve-type algorithms Dialogue: 0,0:53:37.41,0:53:41.27,Default,,0000,0000,0000,,for factoring and for discrete log\Nover finite fields, Dialogue: 0,0:53:41.27,0:53:43.04,Default,,0000,0000,0000,,and those don't seem, Dialogue: 0,0:53:43.04,0:53:44.31,Default,,0000,0000,0000,,we don't actually have equivalents Dialogue: 0,0:53:44.31,0:53:47.89,Default,,0000,0000,0000,,of those algorithms for\Nproperly generated elliptic curves. Dialogue: 0,0:53:47.89,0:53:50.58,Default,,0000,0000,0000,,So, that's why those key sizes are shorter Dialogue: 0,0:53:50.58,0:53:54.02,Default,,0000,0000,0000,,and that's why we think\Nthey seem to be more secure. Dialogue: 0,0:53:54.02,0:53:57.11,Default,,0000,0000,0000,,Herald: Then we take another one\Nfrom microphone 3, please. Dialogue: 0,0:53:57.11,0:54:01.31,Default,,0000,0000,0000,,Q: Yes, you said that when doing\Nthe precomputations Dialogue: 0,0:54:01.31,0:54:04.82,Default,,0000,0000,0000,,for commonly-used primes, Dialogue: 0,0:54:04.82,0:54:08.33,Default,,0000,0000,0000,,you can reduce the effort you have to put Dialogue: 0,0:54:08.33,0:54:11.28,Default,,0000,0000,0000,,in a single connection\Nto about 70 seconds. Dialogue: 0,0:54:11.28,0:54:12.83,Default,,0000,0000,0000,,How is that usable? Dialogue: 0,0:54:12.83,0:54:15.85,Default,,0000,0000,0000,,If my TLS handshake is delayed 70 seconds, Dialogue: 0,0:54:15.85,0:54:18.42,Default,,0000,0000,0000,,I already ran away. Dialogue: 0,0:54:18.42,0:54:20.48,Default,,0000,0000,0000,,AH: Ah! So we refer you to the paper Dialogue: 0,0:54:20.48,0:54:22.09,Default,,0000,0000,0000,,for the full answer to that, Dialogue: 0,0:54:22.09,0:54:23.68,Default,,0000,0000,0000,,but it turns out there's a bunch of tricks Dialogue: 0,0:54:23.68,0:54:28.52,Default,,0000,0000,0000,,that you can do to keep\Na session handshake open Dialogue: 0,0:54:28.52,0:54:30.21,Default,,0000,0000,0000,,for at least 70 seconds. Dialogue: 0,0:54:30.21,0:54:32.24,Default,,0000,0000,0000,,So, this may not be what you want to do Dialogue: 0,0:54:32.24,0:54:35.33,Default,,0000,0000,0000,,to the connection, say, in a web browser Dialogue: 0,0:54:35.33,0:54:37.77,Default,,0000,0000,0000,,that's loading index.html, Dialogue: 0,0:54:37.77,0:54:39.53,Default,,0000,0000,0000,,but whichever one is loading, say, Dialogue: 0,0:54:39.53,0:54:44.62,Default,,0000,0000,0000,,the, I don't know, the 1-pixel\Ntracking image in the background, Dialogue: 0,0:54:44.62,0:54:46.35,Default,,0000,0000,0000,,that nobody sees, Dialogue: 0,0:54:46.35,0:54:48.71,Default,,0000,0000,0000,,which is also getting the same\Nsession cookie, Dialogue: 0,0:54:48.71,0:54:51.06,Default,,0000,0000,0000,,that one you can hold open\Nfor 70 seconds Dialogue: 0,0:54:51.06,0:54:52.84,Default,,0000,0000,0000,,without the user noticing. Dialogue: 0,0:54:52.84,0:54:54.07,Default,,0000,0000,0000,,So what we've been able to do Dialogue: 0,0:54:54.07,0:54:56.37,Default,,0000,0000,0000,,is show a variety of ways\Nthat we can trick Dialogue: 0,0:54:56.37,0:54:58.02,Default,,0000,0000,0000,,browsers and other implementations Dialogue: 0,0:54:58.02,0:55:00.84,Default,,0000,0000,0000,,into holding the connection\Nopen long enough. Dialogue: 0,0:55:00.84,0:55:03.49,Default,,0000,0000,0000,,Also, 70 seconds is just\Nwhat we were able to do Dialogue: 0,0:55:03.49,0:55:07.04,Default,,0000,0000,0000,,with a few weeks of hacking\Naround and optimisation, Dialogue: 0,0:55:07.04,0:55:10.66,Default,,0000,0000,0000,,we think that with\Nnot that much more effort Dialogue: 0,0:55:10.66,0:55:13.24,Default,,0000,0000,0000,,we could get that number\Ndown quite a bit more. Dialogue: 0,0:55:13.24,0:55:16.28,Default,,0000,0000,0000,,But 70 seconds we think\Nalready is not so bad, Dialogue: 0,0:55:16.28,0:55:18.24,Default,,0000,0000,0000,,and there's plenty of ways\Nthat we can exploit it. Dialogue: 0,0:55:18.24,0:55:21.49,Default,,0000,0000,0000,,NH: Proof of concept. Dialogue: 0,0:55:21.49,0:55:24.23,Default,,0000,0000,0000,,Herald: Okay. Do we have\Nsomething from the net? Dialogue: 0,0:55:24.23,0:55:26.78,Default,,0000,0000,0000,,Signal Angel: How long do you estimate the security Dialogue: 0,0:55:26.78,0:55:29.49,Default,,0000,0000,0000,,of RSA-DHE to sustain, Dialogue: 0,0:55:29.49,0:55:31.03,Default,,0000,0000,0000,,and do you have any idea if and when Dialogue: 0,0:55:31.03,0:55:33.68,Default,,0000,0000,0000,,there's any quantum encryption algorithms Dialogue: 0,0:55:33.68,0:55:35.32,Default,,0000,0000,0000,,that will soon be available to be used Dialogue: 0,0:55:35.32,0:55:36.85,Default,,0000,0000,0000,,by a broad public? Dialogue: 0,0:55:36.85,0:55:38.95,Default,,0000,0000,0000,,AH: Oh, quantum encryption algorithms. Dialogue: 0,0:55:38.95,0:55:41.15,Default,,0000,0000,0000,,NH: You should watch Dan\Nand Tanja's talk from yesterday. Dialogue: 0,0:55:41.15,0:55:44.07,Default,,0000,0000,0000,,AH: Yeah, last night was the time\Nto hear about that. Dialogue: 0,0:55:44.07,0:55:46.17,Default,,0000,0000,0000,,NH: The dangers of quantum cryptography. Dialogue: 0,0:55:46.17,0:55:48.22,Default,,0000,0000,0000,,I mean, the short answer is Dialogue: 0,0:55:48.22,0:55:49.75,Default,,0000,0000,0000,,that people who know\Nwhat they're talking about Dialogue: 0,0:55:49.75,0:55:51.83,Default,,0000,0000,0000,,have said we should start worrying now Dialogue: 0,0:55:51.83,0:55:53.93,Default,,0000,0000,0000,,because we may see quantum computers Dialogue: 0,0:55:53.93,0:55:56.74,Default,,0000,0000,0000,,within the next 15 years, maybe. Dialogue: 0,0:55:56.74,0:55:59.22,Default,,0000,0000,0000,,But it's really hard to speculate about Dialogue: 0,0:55:59.22,0:56:05.03,Default,,0000,0000,0000,,advances in physics that\Nmay be pretty far off. Dialogue: 0,0:56:05.03,0:56:06.77,Default,,0000,0000,0000,,Herald: Do we have another one? Dialogue: 0,0:56:06.77,0:56:09.55,Default,,0000,0000,0000,,Signal angel: Sure. What's your\Nopinion on the NIST curves, Dialogue: 0,0:56:09.55,0:56:10.89,Default,,0000,0000,0000,,especially with the current rumours Dialogue: 0,0:56:10.89,0:56:15.53,Default,,0000,0000,0000,,about the curve parameters\Nhaving a backdoor? Dialogue: 0,0:56:15.53,0:56:18.31,Default,,0000,0000,0000,,NH: There are no known ways Dialogue: 0,0:56:18.31,0:56:20.71,Default,,0000,0000,0000,,that the curves could have been backdoored Dialogue: 0,0:56:20.71,0:56:23.46,Default,,0000,0000,0000,,with the given parameters. Dialogue: 0,0:56:23.46,0:56:25.63,Default,,0000,0000,0000,,AH: But if you don't trust them, Dialogue: 0,0:56:25.63,0:56:28.16,Default,,0000,0000,0000,,you know Dan Bernstein\Nhas a curve you can use too. Dialogue: 0,0:56:28.16,0:56:30.12,Default,,0000,0000,0000,,NH: So... Dialogue: 0,0:56:30.12,0:56:32.23,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,0:56:32.23,0:56:35.25,Default,,0000,0000,0000,,NH: Do you trust Dan,\Nor do you trust the NSA? Dialogue: 0,0:56:35.25,0:56:37.25,Default,,0000,0000,0000,,{\i1}laughter{\i0} Dialogue: 0,0:56:37.25,0:56:38.86,Default,,0000,0000,0000,,Herald: Over to 2, please. Dialogue: 0,0:56:38.86,0:56:41.80,Default,,0000,0000,0000,,Q: Some of the little bit\Nthat you recommend, Dialogue: 0,0:56:41.80,0:56:46.25,Default,,0000,0000,0000,,you say Diffie-Hellman is worse\Nthan RSA now, Dialogue: 0,0:56:46.25,0:56:49.93,Default,,0000,0000,0000,,so, does it mean I should switch back Dialogue: 0,0:56:49.93,0:56:54.37,Default,,0000,0000,0000,,to RSA, preferring it instead\Nof Diffie-Hellman? Dialogue: 0,0:56:54.37,0:56:57.07,Default,,0000,0000,0000,,AH: With equivalent key sizes, Dialogue: 0,0:56:57.07,0:56:59.98,Default,,0000,0000,0000,,equivalent sizes of your primes, Dialogue: 0,0:56:59.98,0:57:02.67,Default,,0000,0000,0000,,or your RSA modulus, Dialogue: 0,0:57:02.67,0:57:05.02,Default,,0000,0000,0000,,yes, we are saying that. Dialogue: 0,0:57:05.02,0:57:06.94,Default,,0000,0000,0000,,That in the 1024-bit case, Dialogue: 0,0:57:06.94,0:57:10.11,Default,,0000,0000,0000,,there's strong reasons that you should Dialogue: 0,0:57:10.11,0:57:14.16,Default,,0000,0000,0000,,distrust the very common repeated primes Dialogue: 0,0:57:14.16,0:57:15.69,Default,,0000,0000,0000,,for Diffie-Hellman. Dialogue: 0,0:57:15.69,0:57:17.75,Default,,0000,0000,0000,,But that's not the whole story. Dialogue: 0,0:57:17.75,0:57:26.51,Default,,0000,0000,0000,,Right, so for longer sizes of modulus, Dialogue: 0,0:57:26.51,0:57:27.79,Default,,0000,0000,0000,,larger strengths of crypto, Dialogue: 0,0:57:27.79,0:57:31.68,Default,,0000,0000,0000,,RSA is probably still okay. Dialogue: 0,0:57:31.68,0:57:34.37,Default,,0000,0000,0000,,But I think either way, Dialogue: 0,0:57:34.37,0:57:37.75,Default,,0000,0000,0000,,switching to elliptic curve\Nfor key exchange Dialogue: 0,0:57:37.75,0:57:39.98,Default,,0000,0000,0000,,is probably the thing to do right now. Dialogue: 0,0:57:39.98,0:57:42.32,Default,,0000,0000,0000,,NH: I think the precise statement\Nthat we can make Dialogue: 0,0:57:42.32,0:57:44.62,Default,,0000,0000,0000,,is, if you're comparing 1024-bit\NDiffie-Hellman Dialogue: 0,0:57:44.62,0:57:47.43,Default,,0000,0000,0000,,to a 1024-bit RSA key, Dialogue: 0,0:57:47.43,0:57:48.73,Default,,0000,0000,0000,,that if you're using Diffie-Hellman Dialogue: 0,0:57:48.73,0:57:50.98,Default,,0000,0000,0000,,with the most commonly used parameters, Dialogue: 0,0:57:50.98,0:57:52.69,Default,,0000,0000,0000,,say, the Oakley group 2 Dialogue: 0,0:57:52.69,0:57:55.07,Default,,0000,0000,0000,,that everybody on the Internet is using, Dialogue: 0,0:57:55.07,0:57:57.46,Default,,0000,0000,0000,,and you think it is likely that\Na large government agency Dialogue: 0,0:57:57.46,0:58:00.70,Default,,0000,0000,0000,,has already done the\Nprecomputation for that prime, Dialogue: 0,0:58:00.70,0:58:05.36,Default,,0000,0000,0000,,then breaking an individual\Nconnection using that prime Dialogue: 0,0:58:05.36,0:58:06.75,Default,,0000,0000,0000,,with Diffie-Hellman key exchange Dialogue: 0,0:58:06.75,0:58:08.85,Default,,0000,0000,0000,,would be much, much, much less effort Dialogue: 0,0:58:08.85,0:58:14.72,Default,,0000,0000,0000,,than factoring a freshly generated\N1024-bit RSA key that is unique to you. Dialogue: 0,0:58:14.72,0:58:17.72,Default,,0000,0000,0000,,Even if that 1024-bit RSA factorisation Dialogue: 0,0:58:17.72,0:58:20.46,Default,,0000,0000,0000,,is within range of the NSA, Dialogue: 0,0:58:20.46,0:58:21.49,Default,,0000,0000,0000,,it may not be worth their while Dialogue: 0,0:58:21.49,0:58:23.42,Default,,0000,0000,0000,,to actually factor your key. Dialogue: 0,0:58:23.42,0:58:25.81,Default,,0000,0000,0000,,Whereas breaking a\NDiffie-Hellman key exchange, Dialogue: 0,0:58:25.81,0:58:27.18,Default,,0000,0000,0000,,they've already done the hard work Dialogue: 0,0:58:27.18,0:58:28.50,Default,,0000,0000,0000,,to break everybody on the Internet, Dialogue: 0,0:58:28.50,0:58:31.25,Default,,0000,0000,0000,,so, you're just one more fish. Dialogue: 0,0:58:31.25,0:58:32.00,Default,,0000,0000,0000,,That's the precise statement Dialogue: 0,0:58:32.00,0:58:33.59,Default,,0000,0000,0000,,that we can make about the security. Dialogue: 0,0:58:33.59,0:58:35.43,Default,,0000,0000,0000,,The real answer: use elliptic curves, Dialogue: 0,0:58:35.43,0:58:41.99,Default,,0000,0000,0000,,or, to use 2048-bit\NDiffie-Hellman: probably fine. Dialogue: 0,0:58:41.99,0:58:43.85,Default,,0000,0000,0000,,Herald: And, over to number 1, please. Dialogue: 0,0:58:43.85,0:58:47.23,Default,,0000,0000,0000,,Q: How realistic is it to use, or to create Dialogue: 0,0:58:47.23,0:58:50.21,Default,,0000,0000,0000,,a new prime for every exchange Dialogue: 0,0:58:50.21,0:58:52.99,Default,,0000,0000,0000,,or at least every few exchanges? Dialogue: 0,0:58:52.99,0:58:55.84,Default,,0000,0000,0000,,NH: So, unfortunately, the properties Dialogue: 0,0:58:55.84,0:59:01.04,Default,,0000,0000,0000,,that you need for discrete log to be hard, Dialogue: 0,0:59:01.04,0:59:02.47,Default,,0000,0000,0000,,you need to have a safe prime Dialogue: 0,0:59:02.47,0:59:05.72,Default,,0000,0000,0000,,and you would hopefully like it\Nnot to be backdoored, Dialogue: 0,0:59:05.72,0:59:09.43,Default,,0000,0000,0000,,generating safe primes is\Nstill kind of effortful Dialogue: 0,0:59:09.43,0:59:10.61,Default,,0000,0000,0000,,on modern hardware, Dialogue: 0,0:59:10.61,0:59:12.01,Default,,0000,0000,0000,,I mean if you try to do it on your laptop Dialogue: 0,0:59:12.01,0:59:15.17,Default,,0000,0000,0000,,it will probably take like, I don't know,\Na minute or something. Dialogue: 0,0:59:15.17,0:59:16.94,Default,,0000,0000,0000,,So, it's actually a lot of effort Dialogue: 0,0:59:16.94,0:59:20.23,Default,,0000,0000,0000,,to generate a new safe prime all the time. Dialogue: 0,0:59:20.23,0:59:24.49,Default,,0000,0000,0000,,Just use a larger safe prime\Nand you'll be better. Dialogue: 0,0:59:24.49,0:59:26.09,Default,,0000,0000,0000,,Herald: So we're running out of time, Dialogue: 0,0:59:26.09,0:59:28.73,Default,,0000,0000,0000,,but let's... with number 2. Dialogue: 0,0:59:28.73,0:59:32.06,Default,,0000,0000,0000,,Q: You said that elliptic\Ncurve cryptography Dialogue: 0,0:59:32.06,0:59:36.93,Default,,0000,0000,0000,,is not susceptible to\Nthis precomputation attack, Dialogue: 0,0:59:36.93,0:59:43.75,Default,,0000,0000,0000,,is that luck, or is it\Nengineered to be that way? Dialogue: 0,0:59:43.75,0:59:44.30,Default,,0000,0000,0000,,{\i1}AH laughs{\i0} Dialogue: 0,0:59:44.30,0:59:45.52,Default,,0000,0000,0000,,NH: ...luck? Dialogue: 0,0:59:45.52,0:59:46.94,Default,,0000,0000,0000,,AH: In part! Dialogue: 0,0:59:46.94,0:59:48.01,Default,,0000,0000,0000,,NH: I mean, a combination of both, but Dialogue: 0,0:59:48.01,0:59:49.16,Default,,0000,0000,0000,,so as far as we know, I mean, you can't do Dialogue: 0,0:59:49.16,0:59:50.98,Default,,0000,0000,0000,,precomputation with elliptic curves, Dialogue: 0,0:59:50.98,0:59:53.57,Default,,0000,0000,0000,,so, you know, sort of generically, Dialogue: 0,0:59:53.57,0:59:54.56,Default,,0000,0000,0000,,the best thing that you can say Dialogue: 0,0:59:54.56,0:59:58.50,Default,,0000,0000,0000,,is you can do a lot of precomputation Dialogue: 0,0:59:58.50,1:00:00.72,Default,,0000,0000,0000,,but you still have to do a lot of effort Dialogue: 0,1:00:00.72,1:00:03.29,Default,,0000,0000,0000,,for each individual value, Dialogue: 0,1:00:03.29,1:00:05.85,Default,,0000,0000,0000,,so you could do, you know, generically Dialogue: 0,1:00:05.85,1:00:06.92,Default,,0000,0000,0000,,if you want to break an elliptic curve Dialogue: 0,1:00:06.92,1:00:08.88,Default,,0000,0000,0000,,you could do like,\Na square-root-of-n attack Dialogue: 0,1:00:08.88,1:00:10.83,Default,,0000,0000,0000,,against the key size, Dialogue: 0,1:00:10.83,1:00:13.60,Default,,0000,0000,0000,,you could do, say, n^2/3 precomputation Dialogue: 0,1:00:13.60,1:00:17.54,Default,,0000,0000,0000,,and then you would have n^1/3 online work Dialogue: 0,1:00:17.54,1:00:19.37,Default,,0000,0000,0000,,if that makes sense to you. Dialogue: 0,1:00:19.37,1:00:22.82,Default,,0000,0000,0000,,But you get less effort as far as we know. Dialogue: 0,1:00:22.82,1:00:24.61,Default,,0000,0000,0000,,Less benefit. Dialogue: 0,1:00:24.61,1:00:28.49,Default,,0000,0000,0000,,Herald: Sorry. We're going to finalise\Nthen, with number 4. Dialogue: 0,1:00:28.49,1:00:31.06,Default,,0000,0000,0000,,Q: What do you think about blacklisting\Nthese common primes, Dialogue: 0,1:00:31.06,1:00:32.46,Default,,0000,0000,0000,,just in the modern browsers? Dialogue: 0,1:00:32.46,1:00:34.92,Default,,0000,0000,0000,,Will this get rid of this issue? Dialogue: 0,1:00:34.92,1:00:36.92,Default,,0000,0000,0000,,AH: Just blacklisting the common primes, Dialogue: 0,1:00:36.92,1:00:39.11,Default,,0000,0000,0000,,well, if you blacklist the common primes, Dialogue: 0,1:00:39.11,1:00:41.03,Default,,0000,0000,0000,,if you blacklisted the common primes Dialogue: 0,1:00:41.03,1:00:43.23,Default,,0000,0000,0000,,when we first came up with this, Dialogue: 0,1:00:43.23,1:00:47.48,Default,,0000,0000,0000,,you'd immediately break\Nabout 10% of websites Dialogue: 0,1:00:47.48,1:00:49.67,Default,,0000,0000,0000,,because there's not a good\Nfallback mechanism Dialogue: 0,1:00:49.67,1:00:52.42,Default,,0000,0000,0000,,if you don't like the prime you got Dialogue: 0,1:00:52.42,1:00:54.73,Default,,0000,0000,0000,,during key negotiation. Dialogue: 0,1:00:54.73,1:00:56.73,Default,,0000,0000,0000,,What the browsers are more likely to do Dialogue: 0,1:00:56.73,1:01:01.92,Default,,0000,0000,0000,,is to phase out this kind of\Nfinite-field Diffie-Hellman entirely, Dialogue: 0,1:01:01.92,1:01:04.55,Default,,0000,0000,0000,,over the next larger number of years. Dialogue: 0,1:01:04.55,1:01:06.58,Default,,0000,0000,0000,,So first they're going to\Nstart rejecting things Dialogue: 0,1:01:06.58,1:01:09.39,Default,,0000,0000,0000,,that use unusually weak primes, Dialogue: 0,1:01:09.39,1:01:11.58,Default,,0000,0000,0000,,that's what they're doing already today, Dialogue: 0,1:01:11.58,1:01:13.06,Default,,0000,0000,0000,,but I think in the long term Dialogue: 0,1:01:13.06,1:01:16.81,Default,,0000,0000,0000,,they're going to encourage the use\Nof elliptic curves as an alternative, Dialogue: 0,1:01:16.81,1:01:18.41,Default,,0000,0000,0000,,if you want forward secrecy, Dialogue: 0,1:01:18.41,1:01:22.02,Default,,0000,0000,0000,,elliptic curves will be the way to get it. Dialogue: 0,1:01:22.02,1:01:24.56,Default,,0000,0000,0000,,Herald: Nadia, Alex, once again, Dialogue: 0,1:01:24.56,1:01:25.70,Default,,0000,0000,0000,,thank you so much. Dialogue: 0,1:01:25.70,1:01:26.79,Default,,0000,0000,0000,,AH: Thank you. Dialogue: 0,1:01:26.79,1:01:32.57,Default,,0000,0000,0000,,{\i1}applause{\i0} Dialogue: 0,1:01:32.57,1:01:36.60,Default,,0000,0000,0000,,{\i1}postroll music{\i0} Dialogue: 0,1:01:36.60,1:01:44.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2016. Join, and help us!